More than 770m unique combinations of email addresses and passwords have been exposed, in what is supposed to be the largest data breach in history, according to new research.
The 87GB data dump was discovered by security researcher Troy Hunt, who runs the ‘Have I been Pwned’ breach-notification service.
Hunt, who discovered the leaks on cloud service, MEGA, and called it ‘Collection#1,’ said that many of them included leaks from previous data breaches, such as the Myspace (2008) and LinkedIn (2016) data breaches.
Largest data breach in history
The original data dump contained 2.6bn email addresses and passwords from “many different sources.” However, after clearing out some of the files stored in the database, he managed to reduce the database to a total of 772,904,991 unique email addresses.
“This number makes it the single largest breach ever to be loaded into HIBP”, wrote Hunt, adding that the hacker treasure trove also contained “21,222,975 unique passwords”.
“As with the email addresses, this was after implementing a bunch of rules to do as much clean-up as I could including stripping out passwords that were still in hashed form, ignoring strings that contained control characters and those that were obviously fragments of SQL statements,” wrote Hunt.
“Regardless of best efforts, the end result is not perfect nor does it need to be,” he added. “It’ll be 99.x% perfect though and that x% has very little bearing on the practical use of this data”.
According to Hunt, last week “multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA.”
The data stored in ‘Collection #1’ has been taken down, but not before it was uploaded onto the hacker forum.
In his advisory, Hunt wrote, that the collection totalled over 12,000 separate ???? and more than 87GB of data.
Hunt said that his own email address and passwords that he used years ago was also exposed.
Hunt advised people to use his site to check if their data was exposed and to change their email passwords by using a password manager.
Security experts also advised people to use password managers, such as 1Password or LastPass, to store unique passwords for every service they use.
“It is quite a feat not to have had an email address or other personal information breached over the past decade,” said Jake Moore, a cybersecurity expert at ESET UK.
“If you’re one of those people who think it won’t happen to you, then it probably already has. Password-managing applications are now widely accepted and they are much easier to integrate into other platforms than before.
“Plus, they help you generate a completely random password for all of your different sites and apps. And, if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.”
Hunt said the primary use for such a dataset is ‘credential stuffing’ attacks, a method which allows attackers to exploit a list of email addresses and passcodes and use them to gain access into a variety of different sites. “People take lists like these that contain our email addresses and passwords then they attempt to see where else they work,” he said.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”