The Have I Been Pwned? (HIBP) portal, a free resource which enables users to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or “pwned” in a data breach, has revealed another huge cache of breached email addresses and passwords which were discovered last week while circulating among criminals.
Called “Collection #1”, the cache of breached email addresses and their passwords is huge – it consists of 87GB of data, 12,000 files, and 1.16 billion unique combinations of email addresses and passwords.
After analyzing and cleaning up the data, Troy Hunt – the HIBP founder and web security professional – noted that 773 million of the email addresses were unique as well as 21 million of the passwords, meaning that they are appearing in unhashed form only once within the cache.
“Hunt said the data was discovered by ‘multiple people’ on the MEGA cloud service being advertised as a collection made up of 2,000 or more individual data breaches stretching back some time”, stated an article by John Dunn in Naked Security, the Sophos corporate blog.
And the now seems to have reached many hands, considering that it was being advertised and discussed on a criminal forum, meaning that anyone who has visited the forum has accessed the data.
Again, the data exposed in the breach seems to go way back in time, probably years, as Hunt himself discovered in Collection #1 an email address and old password used by him many years ago.
In conclusion, warns Hunt, “If you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
Hunt has published an incomplete list of the sites mentioned (although not verified) as being sources for Collection #1.
Hunt now suspects that the data was being marketed for automated credential stuffing, a practice where credentials are entered on lots of other sites to see whether they’ve been re-used.
Observes Hunt: You signed up to a forum many years ago you’ve long since forgotten about, but because it has subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.
Ultimately, and in order ensure your passwords are secure and not appearing on the Pwned Passwords list, users are advised to utilize the properly secured password manager that creates and stores secure passwords.