One of the largest data breaches has been added onto HaveIBeenPwned. Affecting up to 773 million individuals.
In January 2019, a mass collection of credential stuffing lists containing combinations of email addresses were discovered being distributed on a popular hacking forum. Malicious users may utilise the email addresses and passwords to hijack user accounts. The data contained almost 2.7billion records, including 773 million individual unique email addresses.
- In total, there are 1,160,253,228 unique combinations of email addresses and passwords.
- The unique email addresses totalled 772,904,991.
- There are 21,222,975 unique passwords.
The data supposedly originates from a collection of 2000+ de-hashed databases and was originally, the data was being hosted on a popular cloud service name MEGA. The collection of data amounted to 12,000+ files, equating to more than 87GB of data! Troy Hunt named the breach “Collection #1” after the name of the root folder containing all of the data. The data has since been removed from this service.
After further analysis, Troy Hunt discovered that HaveIBeenPwned has never seen 140 Million of the email addresses included in the “Collection #1” breach. As well as out of the 21.2 Million passwords, around half of them have not been implemented into HaveIBeenPwned before.
It is recommended that if there is uncertainty whether your information is included within this breach, visit HaveIBeenPwned. This website provides users the ability to view if their email addresses have been involved in a data breach, and specifically which one and how many.
In addition to this useful feature, Troy Hunt has also implemented a password search feature which tells the user how many times this password has been seen. Password reuse is normal, however it’s extremely risky and people aren’t aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
f HaveIBeenPwned says that your password has been seen thousands of time, you should consider changing it to something more secure.