Massive Collection #1 leak exposes 773m unique records online

Gargantuan 87GB trove of email addresses and passwords was sourced from thousands of separate data breaches

The word password among code

Nearly 2.7 billion records containing up to 800 million unique email addresses and more than 21 million unique passwords have been compromised and published online.

The massive data leak, dubbed Collection #1, is made up of individual breaches from "literally thousands of different sources", according to security researcher Troy Hunt, who announced his findings in a blog post.

Advertisement - Article continues below

The data being shared on hacking forums comprises is email addresses and passwords totalling 2.69 billion rows of data, with a total of 1.16 billion unique combinations of email addresses and passwords.

This collection exceeds 87GB in size and contains 12,000 individual files. It represents one of the biggest, if not the biggest, exposures of personal data in history.

This 1.16 billion figure was determined by filtering passwords as case sensitives, and email addresses as not case sensitive, according to Hunt, who says the leaked data can be used for 'credential stuffing' attacks. 

In all, Hunt determined the data contained 773 million unique email addresses, and 21 million unique passwords.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Hunt said. "The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.

Advertisement - Article continues below
Advertisement - Article continues below

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

After being alerted to Collection #1, Hunt was then pointed in the direction of a popular hacking forum on which members were discussing the trove of data. He assigned this breach 'Collection #1' as it was the name prescribed to the root folder in an image being circulated on these forums.

The researcher also reproduced a list of sites included in this data breach, after it appeared on the hacking forum, totalling 2,890 file names, but warned it wasn't necessarily complete and that he hasn't been able to verify it.

The earliest reference to an alleged breach is 2008, according to the unverified list, with a great deal occurring over the previous five years.

Advertisement - Article continues below

Hunt, who also manages the Have I Been Pwned service, has recommended that people either buy into a dedicated digital password manager or use a notebook and pen to manage all their personal login details. He also railed against password reuse, saying online users need to "avoid that to the fullest extent possible".

His views are reflected by the comments of Malwarebytes' lead malware intelligence analyst Chris Boyd, who suggested the key is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," said Boyd. 

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

Although nowhere near on the same scale as the Collection #1 incident, Reddit suffered a security scare last week after force-resetting the passwords of a large, indeterminate number of its users.

Advertisement - Article continues below

The microblogging platform wouldn't confirm whether this was precautionary, or reactive, but suggested it was done because they detected that users had either employed simple passwords or were engaged in password reuse.

A computer science professor Alan Woodward, meanwhile, previously suggested the best passwords are those which you can't remember, while claiming there is evidence to suggest that using longer phrases are easier to crack.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020