773 Million Email Addresses Exposed in "Collection #1" Data Leak

Data breaches are increasingly becoming the norm. We have had the megabreaches of Yahoo!, Equifax and Marriott International, but in what appears to be one of the worst ever data leaks in terms of sheer volume, a massive trove of leaked data comprising of 772,904,991 unique email addresses and 21,222,975 unique passwords were posted to a popular hacking forum.


The data, dubbed "Collection #1" and originally available on the cloud storage service MEGA (now removed) as a collection of over 12,000 separate files totalling 87GB in size, is made up of email addresses and passwords taken from different individual data breaches from thousands of sources. In all, the whole set consists of 2,692,818,238 rows, with 1,160,253,228 unique combinations of email addresses and passwords designed for credential stuffing attacks, wherein hackers throw stolen credentials to gain unauthorised access to user accounts through automated login requests.

While the exact origin of the data remains unclear, the fact that they were available for anyone to take is a pretty serious concern. To check if you are affected, visit Have I Been Pwned?, and if the results are affirmative, change your passwords (note: it however doesn't impact you if you have already changed it in response to a breach, but changing them again can never hurt) and turn on two-factor authentication (preferably via an authenticator app, and not SMS).

A general word of caution: don't ever reuse passwords across different sites - credential stuffing attacks happen for this very reason - and ensure they are secure and strong by following the below tips:
  • Auto-generate strong passwords using password managers like 1Password, LastPass or Avast.
  • Make passwords longer and more memorable by taking a lyric from a song or poem, a meaningful quote from a movie or speech, a line from a book, a series of words that are meaningful to you, or an abbreviation.
  • Avoid choosing passwords that could be guessed by people who know you, or by looking at your social media profile.
  • Avoid using personal information (nicknames, initials, addresses, date of birth, street names etc.), and common phrases ("abcd", "123" etc.) and substitutions ("Hello" as "H3ll0", "Doorbell" as "d00r8377" etc.).
  • Mix up your passwords with letters, numbers, and symbols. For example: "Thanksgiving is the best time to catch up with family" becomes "T!tB3stime:2cth^pwf", "where are my glasses? Oh, there" becomes "w?@mgla$:ohth3r".
  • Use a password manager (like Bitwarden or KeePass) to keep them secure.
Update: Security researcher Brian Krebs has revealed that "the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online," and that "Collection #1 was at least 2-3 years old."

Update on Jan 30: Reports have emerged that hackers are passing around a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords (named Collections #2–5, totalling 845GB and 25 billion records) for free on hacker forums and torrents gathered from previous breaches - mostly from Yahoo!, Dropbox and LinkedIn.

Comments