773m emails comprised in the biggest public data breach

As data breaches go, this one could be record-breaking, affecting 2bn logins

Photo: https://www.troyhunt.com/ A screenshot of the folder, containing the comprised data.

Data breaches these days started to become more and more massive and thanks to Internet security researcher Troy Hunt the world has now officially witnessed the biggest one. The newly discovered “Collection #1" undoubtedly represents the largest public data breach by volume, with 772,904,991 unique emails and 21,222,975 unique passwords exposed. Furthermore, it is reportedly made up of individual data breaches from more than 2,000 databases, instead of representing a single, easily identifiable service.

The breach was first reported by Troy Hunt, the security researcher who runs the site Have I Been Pwned (HIBP), where you can check if your email has been compromised in a data breach. In his blog, Hunt says a large file of 12,000 separate files and 87GB of data had been uploaded to MEGA, a popular cloud service. The data was then posted to a popular hacking forum and appears to be an amalgamation of over 2,000 databases. The troubling thing is the databases contain “dehashed” passwords, which means the methods used to scramble those passwords into unreadable strings has been cracked, fully exposing the passwords.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Hunt said.  "The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. 

The more troubling thing however - according to most recent information from Security Reporter Brian Krebs, Collection #1 trove is just a single offering from a seller who claims to have at least six more batches of data. Including the Collection #1 data, Krebs writes, this person is selling “almost 1 Terabyte of stolen and hacked passwords.”

How that affects you? As Hunt warns, it means compromised email and password combos are more vulnerable for a practice called credential stuffing. Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites to register.

This is nevertheless concerning as the Collection #1 breach contains almost 2.7bn combos. Plus, around 140m emails and 10m passwords from Collection #1 were new to Hunt’s HIBP database - meaning they’re not from previously reported megabreaches.

If you’d like to find if your emails and passwords are part of the Collection #1 breach, you can check at HIBP. If you find it across the HIBP database, then you should change it immediately.

Similar articles