773 Million Email Addresses and 21 Million Unique Passwords Listed for Sale

A massive collection of login credentials that includes approximately 773 million email addresses has been uncovered by security researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and maintains the Have I Been Pwned (HIBP) website, where people can check to see whether their login credentials have been stolen in a data breach.

Hunt discovered the 87GB database on a popular hacking forum. The data was spread across 2,692,818,238 rows and contained a total of 1,160,253,228 unique combinations of email addresses and passwords, organized into 12,000 files hosted in a root folder called Collection #1 on the Mega cloud service. The data has since been removed from Mega, but it is still advertised for sale on hacking forums.

Hunt deduplicated the database, which reduced the number of unique email addresses to 773 million and the files were found to contain 21 million unique passwords. The dataset has now been uploaded to the HIBP website so users can check to see if their credentials have been compromised. This is the largest collection of data that has been uploaded to the site.

The data appears to come from thousands of separate data breaches, many of which have previously been identified and uploaded to the HIBP website; however, around 140 million of the email addresses and around half of the passwords have not previously been uploaded to the HIBP website and appear to have come from unknown breaches. Hunt believes the data comes from around 2,000 separate breaches, with most of the data relating to breaches between 2008 and 2015.

HIBP has a notification service that alerts individuals if their credentials have been discovered. Around 2.2 million people have signed up for the service, and 768,000 of them are now being emailed as their credentials have been found in the new data set.

Hunt notes that the data has been collected over a long period of time and had been advertised for sale for some time prior to his discovery, so it is likely that the data is in the hands of several individuals and will be used for malicious purposes such as phishing and credential stuffing attacks.

For most individuals, the compromised password will be old, so it is likely that it will have already been changed. Individuals who rarely change their passwords should certainly do so now if their email address is present in the database.

When changing a password, consider adding 2-factor authentication to the account as an additional protection in case your credentials are compromised in another data breach in the future. It will help to ensure that your account cannot be easily accessed by unauthorized individuals.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news