Massive Data Breach May Have Compromised 773 Million Email Accounts

Briton jailed for large-scale Liberian cyber attack
AFP/Kirill KUDRYAVTSEV

Cybersecurity researcher Troy Hunt on Thursday announced the discovery of a gigantic trove of pilfered usernames and addresses for email accounts from a variety of services, quite possibly representing the largest breach of account information in history.

Hunt’s analysis found almost 773 million email addresses and 22 million unique passwords were represented in the collection of some 12,000 separate files, which had been uploaded to cloud storage and shared between hackers. The files have since been deleted from the MEGA cloud service.

Hunt dubbed the files “Collection #1” and said the information seems to have been collected from “many different individual data breaches from literally thousands of different sources.” Collection #1 had over two and a half billion entries at first glance, but Hunt was able to strip away a large number of duplicates and junk to determine the true size of the properly formatted login credentials contained within.

Hunt then loaded the cleaned-up database into a website he created called Have I Been Pwned (HIBP) which allows concerned users to quickly determine if their email address has been included in any known data breaches. HIBP also gives users an idea of how severe the breach was and the likelihood their secure passwords were exposed to hackers.

Checking with Have I Been Pwned is a reasonable precaution, with the caveat that it can be difficult to determine if accurate and current passwords were exposed in any given data breach. Hunt observed HIBP offers a free notification service and some 768,000 of its subscribers appear in the Collection #1 breach, including Hunt himself.

Another security resource created by Hunt is called Pwned Passwords. Here users can enter any password, without identifying themselves, and discover if the password appears in any known data breach files. In other words, HIBP will tell you if your email address has ever been referenced in a trove of stolen data, while Pwned Passwords will let you know if a password you are using has ever been compromised. As Hunt wryly suggested, Pwned Passwords is a great resource for learning just how unwise it is to use a password like “P@ssword” for any online account.

“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again,” he remarked.

Validating the data in a trove as huge as “Collection #1” is beyond the ability of any single analyst, as Hunt pointed out. WIRED looked upon the sheer size of the looted passwords and pronounced it “pretty darn serious,” finding only a notorious pair of Yahoo breaches to be larger – but Collection #1 might be more alarming because the Yahoo data has never been sold or made public to the best knowledge of security experts.

Another disturbing detail is that 140 million of the email accounts and 10 million of the unique password included in Collection #1 appear to be new, rather than duplicated information from previously identified data breaches, and the passwords are all exposed as plain text instead of encrypted data.

“The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across the whole wide internet,” WIRED explained.

Conversely, Motherboard judged Collection #1 to be considerably less dangerous than the most alarming headlines, since some of the information is duplicated from older breaches, and many of the email accounts listed in the massive hacker database were not accompanied by passwords.

Various computer and security websites included some good advice for users along with their reports on the Collection #1 breach, such as refraining from using the same password across multiple websites, enabling two-factor authentication for online accounts (an optional feature available for many accounts that adds a second typed or electronic passcode), and using a password manager application.

.