There are breaches, and there are megabreaches, and there’s Equifax. But a newly revealed trove of leaked data tops them all for sheer volume: 772,904,991 unique email addresses, over 21 million unique passwords, all recently posted to a hacking forum.
The data set was first reported by security researcher Troy Hunt, who maintains Have I Been Pwned, a way to search whether your own email or password has been compromised by a breach at any point. (Trick question: It has.) The so-called Collection #1 is the largest breach in Hunt’s menagerie, and it’s not particularly close.
If anything, the above numbers belie the real volume of the breach, as they reflect Hunt’s effort to clean up the data set to account for duplicates and to strip out unusable bits. In raw form, it comprises 2.7 billion rows of email addresses and passwords, including over a billion unique combinations of email addresses and passwords.
The trove appeared briefly on MEGA, the cloud service, and persisted on what Hunt refers to as “a popular hacking forum.” It sat in a folder called Collection #1, which contained over 12,000 files that weigh in at over 87 gigabytes. While it’s difficult to confirm exactly where all that info came from, it appears to be something of a breach of breaches; that is to say, it claims to aggregate over 2,000 leaked databases that contain passwords whose protective hashing has been cracked.
“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”
That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.
The accumulated lists seem designed for use in so-called credential-stuffing attacks, in which hackers throw email and password combinations at a given site or service. These are typically automated processes that prey especially on people who reuse passwords across the whole wide internet.
The silver lining in Collection #1 going public is that you can definitively find out if your email and password were among the impacted accounts. Hunt has already loaded them into Have I Been Pwned; just type in your email address and keep those fingers crossed. While you’re there you can also find out how many previous breaches you’ve been a victim of. Whatever password you’re using on those accounts, change it.
Have I Been Pwned also introduced a password-search feature a year and a half ago; you can just type in whatever passwords go with your most sensitive accounts to see if they’re out in the open. If they are, change them.
And while you’re at it, get a password manager. It’s well past time.
How Serious Is This?
Pretty darn serious! While it doesn’t appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving. First, around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.
Then there’s the way in which those passwords are saved in Collection #1. “These are all plain text passwords. If we take a breach like Dropbox, there may have been 68 million unique email addresses in there, but the passwords were cryptographically hashes making them very difficult to use,” says Hunt. Instead, the only technical prowess someone with access to the folders needs to break into your accounts is the ability to scroll and click.
And lastly, Hunt also notes that all of these records were sitting not in some dark web backwater, but on one of the most popular cloud storage sites—until it got taken down—and then on a public hacking site. They weren’t even for sale; they were just available for anyone to take.
The usual advice for protecting yourself applies. Never reuse passwords across multiple sites; it increases your exposure by orders of magnitude. Get a password manager. Have I Been Pwned integrates directly into 1Password—automatically checking all of your passwords against its database—but you’ve got no shortage of good options. Enable app-based two-factor authentication on as many accounts as you can, so that a password isn’t your only line of defense. And if you do find your email address or one of your passwords in Have I Been Pwned, at least know that you’re in good company.