773 Million Emails Found in Hackers’ Collection #1
Cyber Security Expert’s Discovery Puts Everyone on the Digital Frontline
A cyber security researcher has discovered a hackers’ database of around 773 million emails. Cyber security expert Troy Hunt said that a list of more than 2.6 billion records containing around 773 million unique email addresses and more than 21 million unique passwords was being shared on a “popular hacking forum”.
Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security, Troy Hunt said that the data, dubbed Collection #1, had been compiled from more than 2,000 different data breaches and hacked databases or websites.
Hunt believes that around 140 million of the email addresses have not appeared in previous breaches and therefore constitute newly exposed details. Hunt also discovered that some of his own personal information had appeared in Collection #1.
The database did not appear to contain any more sensitive information – such personal finance information and credit card details, he said.
Hunt said that he had been contacted by several people directing him to a collection of files on the popular cloud service, MEGA (the data has new been deleted from the service). The collection contained over 12,000 separate files and more than 87GB of data. One of his contacts also revealed that a popular hacking forum was distributing the data.
Credential Stuffing Attacks
He warned the lists could be used by hackers to carry out “credential stuffing” attacks, where hackers take lists of usernames and passwords and enter them on a range of other platforms to try and force access to different user accounts.
“In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work,” he said.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”
Have I Been Pwned?
The cyber security expert suggested that people concerned about the data breach should visit the website Have I Been Pwned, a data breach monitoring website that can tell users if any email address they use has ever been compromised in a hack, and to change any passwords linked to exposed accounts.
Hunt recommended that “If you’re re-using the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it’s available.”
The database and its contents – though mostly a collection of data from other incidents – could be considered one of the largest data breaches on record, more than the 500 million accounts affected by the Marriott breach confirmed in December, but still considerably less than the three billion accounts stolen from Yahoo in 2013.