Data Breach Collection with 773 Million Email Entries Leaked Online

Posted by & filed under Security Alerts.

A giant 87 gigabyte archive consisting of 773 million unique email addresses and their associated cracked, or dehashed, passwords has been spotted being promoted on an online hacking forum. This file is being called “Collection #1” and was designed to easily be used in credential stuffing attacks.

Credential stuffing is when attackers take lists of email address and their associated cracked/dehashed passwords and use them to try and log into different sites. If there is a matching account using the same credentials, the attackers will then gain access to your data and potentially financial assets.

This collection was discovered by security researcher and Have I Been Pwned creator Troy Hunt and consists of 2,800 different files containing the leaked account information from many different data breaches. While the original data from these data breaches may have had encrypted passwords, whoever compiled this collection converted them into dehashed passwords to make them easier to use in attacks.

It is important to note, though, that this is not a new data breach, but simply a compilation of older ones.

This compilation is being called “Colection #1” based on a folder name in a screenshot promoted these data breach files.

In a blog post, Hunt states that this collection contains 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses, and 21,222,975 unique passwords. The researcher further states that the oldest data appears to be from a breach in 2008.

After receiving the archive, Hunt loaded it into Have I Been Pwned so that subscribers would be notified of the latest breach and for new users to check if their accounts have been exposed.

For those not familiar with Have I been Pwned, it is a site where you can submit your email address and see the data breaches that your account was exposed. Below you can see a small snippet of the breaches that email address asd@asd.com was exposed in.

As always, it is important to create a unique password at every site that you create an account. As remembering unique passwords at every site can be difficult, it is also suggested that you use a password manager to help organize your passwords.

Using unique passwords causes data breaches to only affect the particular credentials for that site, rather than many sites that would have been affected if you used the same password everywhere.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.