A humongous data breach has been discovered in which 777,904,991 unique email addresses and more than 21 million unique passwords have been exposed.
The breach was reported by security researcher Troy Hunt, who runs the Have I Been Pwned website. Although it is unclear where exactly the data was stolen from, Hunt said it has been published on a “popular hacking forum”.
The stolen data, referred to by Hunt as Collection #1, appears to be the tip of the iceberg, though, as the figures take into account Hunt’s efforts to discount unusable information and duplicates. In total, the raw data set consists of 2.7 billions rows of email addresses and passwords.
Hunt said the data initially appeared in a folder titled Collection #1 on cloud storage and file hosting service, MEGA, before it was posted on the hacker forum. The folder consisted of more than 12,000 files totalling 87GB.
Hunt believes the data has been collected from more than 2,000 breached databases containing passwords, the security hashing of which has been cracked.
He told Wired magazine: “It just looks like a completely random collection of sites purely to maximise the number of credentials available to hackers. There’s no obvious patterns – just maximum exposure.”
Collection #1 is thought to be designed to be used in automated credential-stuffing attacks, in which criminals use known email and password combinations at random websites to see what they can gain access to. People who use the same login details on multiple websites are vulnerable to such attacks.
To check if your email address and/or password have been exposed in Collection #1, visit the Have I Been Pwned website.