A leading security researcher has warned of a major trove of breached data being shared on hacking sites, containing over 772 million unique email addresses and more than 21 million unique passwords.
Troy Hunt, owner of the Have I Been Pwned (HIBP) breached credentials site, explained that he was alerted to the collection of 12,000 files hosted on the MEGA cloud service last week.
Although the 87GB dump was subsequently removed, he was also notified of it being shared on a hacking forum under the moniker “Collection #1.”
The total collection amounted to nearly 2.7 billion rows comprised of credentials stolen from thousands of sources in multiple breaches, said Hunt.
After cleaning up the data, he reduced this figure to 772.9 million emails — the largest ever to be loaded into HIBP — and 21.2 million dehashed passwords.
“Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all,” Hunt explained.
“However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches … but have been cracked and converted back to plain text.”
Hunt encouraged users to check whether their emails and passwords are affected, by visiting HIBP. However, they’ll have to search separately for them as the site doesn’t store paired credentials together for security reasons.
The likelihood is the data could be fed into credential stuffing programs to automatically try to unlock accounts over multiple other sites.
Hunt recommended users get a password manager to store long-and-strong unique credentials for each site.
“A password manager is also a rare exception to the rule that adding security means making your life harder,” he said.