The vast dossier of stolen login details appears to have been gathered from data stolen in many breaches
Nearly 773 million unique email addresses and more than 21.2 million unique, plain-text passwords were there for the taking recently in a massive data dump that’s been dubbed Collection #1.
The news comes from security researcher Troy Hunt, who runs the Have I Been Pwned (HIBP) site that enables people to check and also receive alerts if any of their online accounts may have been the victim of a known breach.
The stash of data was posted on file-sharing service MEGA and later also on an “unnamed popular hacking forum”, said Hunt. It comprises more than 12,000 files that weigh in at 87 gigabytes in total.
“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources,” wrote Hunt. This figure refers to raw data, before cleanup removed duplicate and junk bits.
Also as part of the cleanup, 1,160,253,228 unique combinations of email addresses and passwords were ‘distilled’ into 772,904,991 unique email addresses; along with 21,222,975 unique passwords available in plain text. As a result, this tally doesn’t include passwords that were found still in their hashed form.
Importantly, anyone who got their hands on the cache can easily test the plain-text passwords against actual accounts. Approximately 140 million email accounts and some 10.6 million passwords were not known from past breaches.
New breach: The “Collection #1” credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
In addition, Hunt said that he recognized many actual breaches in the directory list, but noted that “it’s entirely possible that some of them refer to services that haven’t actually been involved in a data breach at all.”
Either way, he added that his own older logins showed up in the cache, too, and that this old email/password combination was indeed accurate.
“In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see,” he wrote.
Now that Hunt has loaded data from Collection #1 into HIBP, you are very well-advised to see for yourself if any of your email accounts, or an online account associated with your email(s), may have been part of a known breach (passwords can be checked here). If so, consider changing your password and making sure you don’t reuse it elsewhere, which is where a reliable password manager can also help.
Also, you should also consider using two-factor authentication (2FA) wherever possible, as that’s a very simple measure to help fend off account-takeover attempts. Frankly, you should be using it already.