- A collection of usernames and passwords from multiple data breaches was posted on a hacking forum.
- The data contains close to 22 million passwords and over 772 million email addresses.
- A report was published by security researcher Troy Hunt to inform users about the breach.
A large-sized folder (87 GB) dubbed “Collection #1” was dumped on hacking forums recently. The folder contains over 772 million email addresses of which 82% were already listed on security researcher Troy Hunt’s website. On top of the email addresses, nearly 22 million passwords were also available in the folder, but fortunately, all of them are old passwords and are not active. The downloadable folder is no longer available on the forum.
The emails and passwords were collected from a number of data breaches that date all the way back to 2008. If you want to know if your email is one of them, you can search for your email on Troy Hunt’s website Have I Been Pwned or use Mozilla’s service (Firefox Monitor) that is partnered with Hunt for providing alerts whenever a registered user is affected by a data breach or leak. The service is free and does not collect any user data.
New breach: The "Collection #1" credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4
— Have I Been Pwned (@haveibeenpwned) January 16, 2019
Hunt wrote on his blog: “Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again.”
Users who see their emails on the list should change all of their passwords immediately. Hunt revealed that it is much better to have passwords written down than use the same passwords for multiple services. Password management services are available and other option internet users have is to use hardware authentication keys. A number of online services support hardware and biometric 2FA, which are far more secure than using standard SMS or email-based authentication methods.