'Collection #1' Data Breach: Nearly 773 Million Email Addresses Exposed Online

A massive data breach containing almost 773 million email addresses and more than 21 million paswords has been dumped online.

Security researcher Troy Hunt discovered the breach after the data appeared briefly on the cloud service MEGA and then remained on what Hunt has called "a popular hacking forum" in a folder labeled Collection #1. The 87GB breach contains 772,904,991 unique email addresses and 21,222,975 unique passwords.

Hunt, who runs a breach-notification service called Have I Been Pwned, wrote that the file is a collection of "many individual data breaches from literally thousands of different sources," as opposed to one large hack of a single service. Based on his analysis, the majority of the email addresses have been shared in previous breaches, but Hunt's database had not seen 140 million of them before. As for the passwords, about half of them appeared to be new to the database, Hunt wrote.

"My hope is that for many, this will be the prompt they need to make an important change to their online security posture," Hunt wrote.

Security reporter Brian Krebs quickly emphasized in an online analysis that the stolen data is largely two to three years old and not the largest data breach ever found, as some news outlets have claimed.

Krebs was able to locate a seller, who goes by the username "Sanixer," offering access to Collection #1 for $45. Sanixer told Krebs that "Collection #1 consists of data pulled from a huge number of hacked sites and was not exactly his 'freshest' offering." His other password packages...total more than 4 terabytes in size [and] are less than a year old."

Krebs and Hunt both said the reason so many accounts are compromised is because of users reusing the same password across multiple accounts, meaning that if one account can be hacked, so can others.

The draw for individuals who would purchase the information, Hunt said, often lies in credential stuffing —"the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts."

"The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem," Hunt wrote.

Both reports recommend that users obtain a password manager and use lengthy passphrases or randomly generated codes that are different for every account. Users should also check to see if their email addresses have been compromised and, if so, immediately change the password.