A giant 87 gigabyte archive consisting of 773 million unique email addresses and their associated cracked, or dehashed, passwords has been spotted being promoted on an online hacking forum. This file is being called “Collection #1” and was designed to easily be used in credential stuffing attacks.
Credential stuffing is when attackers take lists of email address and their associated cracked/dehashed passwords and use them to try and log into different sites. If there is a matching account using the same credentials, the attackers will then gain access to your data and potentially financial assets.
This collection was discovered by security researcher and Have I Been Pwned creator Troy Hunt and consists of 2,800 different files containing the leaked account information from many different data breaches. While the original data from these data breaches may have had encrypted passwords, whoever compiled this collection converted them into dehashed passwords to make them easier to use in attacks.
It is important to note, though, that this is not a new data breach, but simply a compilation of older ones.
This compilation is being called “Colection #1” based on a folder name in a screenshot promoted these data breach files.
In a blog post, Hunt states that this collection contains 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses, and 21,222,975 unique passwords. The researcher further states that the oldest data appears to be from a breach in 2008.
After receiving the archive, Hunt loaded it into Have I Been Pwned so that subscribers would be notified of the latest breach and for new users to check if their accounts have been exposed.
For those not familiar with Have I been Pwned, it is a site where you can submit your email address and see the data breaches that your account was exposed. Below you can see a small snippet of the breaches that email address email@example.com was exposed in.
As always, it is important to create a unique password at every site that you create an account. As remembering unique passwords at every site can be difficult, it is also suggested that you use a password manager to help organize your passwords.
Using unique passwords causes data breaches to only affect the particular credentials for that site, rather than many sites that would have been affected if you used the same password everywhere.