Collection 1 Data Breach Exposes 773 Million Email Addresses

One of the biggest ever data breaches ever found involves 773 million email addresses and passwords, which were posted to a popular hacking forum in mid-December.

The 87GB data dump was discovered by security researcher Troy Hunt, who setup ‘Have I Been Pwned’ (HIBP) as a simple location for people to check if their personal data had been compromised by any data breaches.

Hunt dubbed the data breach discovery ‘Collection #1’, and the original data dump was found to contain a staggering 2.6 billion email addresses and passwords from “thousands of different sources”. However, after cleaning up the database and getting rid of duplications, he reduced the database to 772,904,991 unique email addresses.

Data breach

“This number makes it the single largest breach ever to be loaded into HIBP,” wrote Hunt, and he also warned that there hacker treasure trove also contained 21,222,975 unique passwords.

“As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements,” wrote Hunt.

“Regardless of best efforts, the end result is not perfect nor does it need to be,” he added. “It’ll be 99.x% perfect though and that x% has very little bearing on the practical use of this data.”

According to Hunt, last week “multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA.” The data has subsequently been taken down, but not before the data dump had been shared on hacker forums.

The collection apparently totalled over 12,000 separate files and more than 87GB of data.

Troy said that his own own personal data was included in the data dump, including his right email address and a password he used many years ago.

Password managers

So now would a good time for check out HIBP and change their email passwords.

Indeed, Hunt advised people to also use a password manager.

This sentiment was echoed by security experts.

“There has never been a better time to change your password,” said Jake Moore, cyber security expert at ESET UK. “It is quite a feat not to have had an email address, or other personal information breached over the last decade.”

“If you’re one of those people who think it won’t happen to you, and then it probably already has,” said Moore. “Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites.”

Another expert also supported the password clampdown.

“There’s a huge amount of data, and a date range potentially going back a decade,” said Chris Boyd, lead malware intelligence analyst at Malwarebytes. “With this in mind, the key thing is to ensure passwords haven’t been reused across multiple accounts.”

This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches,” said Boyd. “If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible.”

The ‘Collection #1’ breach will go down as one of the largest data breaches, but it is still some way off the Yahoo data breach in 2013 that saw the compromise of 3 billion accounts worldwide.

Do you know all about security? Try our quiz!