773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Hunt found the 87GB database on a popular hacking forum. The data was spread through 2,692,818,238 rows and had a total of 1,160,253,228 exclusive combinations of electronic mail addresses and passwords, arranged into 12,000 files hosted in a root folder named Collection #1 on the Mega cloud facility. The data has since been deleted from Mega, but it is still publicized for sale on hacking forums.

Hunt duplicated the database, which decreased the number of exclusive electronic mail addresses to 773 million and the files were found to have 21 million exclusive passwords. The dataset has now been uploaded to the HIBP website so users can verify to see if their identifications have been compromised. This is the biggest collection of information that has been uploaded to the site.

The information seems to come from thousands of separate data breaches, several of which have earlier been recognized and uploaded to the HIBP website; nevertheless, about 140 million of the electronic mail addresses and about half of the passwords have not earlier been uploaded to the HIBP website and seem to have come from unidentified breaches. Hunt thinks the data comes from about 2,000 separate breaches, with most of the data linking to breaches between 2008 and 2015.

HIBP has a notification facility that warns people if their identifications have been exposed. About 2.2 million people have signed up for the facility, and 768,000 of them are now being emailed as their identifications have been found in the new data set.

Hunt notes that the data has been gathered over a long period of time and had been publicized for sale for some time before his discovery, therefore it is likely that the data is in the hands of several people and will be used for malevolent purposes such as phishing and credential stuffing attacks.

For most people, the compromised password will be old, therefore it is likely that it will have already been altered. People who seldom change their passwords must certainly do so now if their electronic mail address is present in the database.

When altering a password, consider adding 2-factor verification to the account as an additional safety in case your identifications are compromised in another data breach in the future. It will help to make sure that your account cannot be easily retrieved by illegal people.