Huge Collection #1 database leak exposes 773 million email addresses and 21 million passwords
A massive database leak -- dubbed Collection #1 -- has made its way to hacking forums, exposing millions of email addresses and passwords. The news was first shared by Troy Hunt -- the man behind Have I Been Pwned? -- who explains that the leak comprises, "many different individual data breaches from literally thousands of different sources".
Hunt explains that there are "1,160,253,228 unique combinations of email addresses and passwords", so there are a very large number of people that may have been affected by the leak.
- Organizations suffer breaches despite confidence in their security measures
- Email security systems leave organizations vulnerable
- The beginning of the end for the password, more regulation and more IoT risks -- cybersecurity predictions for 2019
In a lengthy blog post, Hunt says that he knows that the data is accurate because he found records relating to himself in there. " What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see".
The database first appeared on MEGA -- although it has now been removed -- but spread to other sites. Made up of more than 12,000 files and totalling over 87GB of data, and it has been described on hacking forums as, "a collection of 2000+ dehashed databases and Combos stored by topic".
The implications of the leak are immense. Troy says:
Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again [...] In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.
If you have signed up for Have I Been Pwned?, you may already have been alerted to the fact that your data has been exposed, but if not you can head over to the site to see if your email address is affected. You can also check on Pwned Passwords to see if your password is included in the breach. Don't worry -- the sites do not link your email address and password. For this reason you will not be able to tell specifically if your password has been linked to your email address elsewhere, but it will give you an idea of your risk.
As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767.
Whilst I can't tell you precisely what password was against your own record in the breach, I can tell you if any password you're interested in has appeared in previous breaches Pwned Passwords has indexed. If one of yours shows up there, you really want to stop using it on any service you care about.
It is well worth taking a look at Troy Hunt's full blog post for more information.