Massive Collection #1 leak exposes 773m unique records online

Gargantuan 87GB trove of email addresses and passwords was sourced from thousands of separate data breaches

The word password among code

Nearly 2.7 billion records containing up to 800 million unique email addresses and more than 21 million unique passwords have been compromised and published online.

The massive data leak, dubbed Collection #1, is made up of individual breaches from "literally thousands of different sources", according to security researcher Troy Hunt, who announced his findings in a blog post.

The data being shared on hacking forums comprises is email addresses and passwords totalling 2.69 billion rows of data, with a total of 1.16 billion unique combinations of email addresses and passwords.

This collection exceeds 87GB in size and contains 12,000 individual files. It represents one of the biggest, if not the biggest, exposures of personal data in history.

Advertisement - Article continues below
Advertisement - Article continues below

This 1.16 billion figure was determined by filtering passwords as case sensitives, and email addresses as not case sensitive, according to Hunt, who says the leaked data can be used for 'credential stuffing' attacks. 

In all, Hunt determined the data contained 773 million unique email addresses, and 21 million unique passwords.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Hunt said. "The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

After being alerted to Collection #1, Hunt was then pointed in the direction of a popular hacking forum on which members were discussing the trove of data. He assigned this breach 'Collection #1' as it was the name prescribed to the root folder in an image being circulated on these forums.

The researcher also reproduced a list of sites included in this data breach, after it appeared on the hacking forum, totalling 2,890 file names, but warned it wasn't necessarily complete and that he hasn't been able to verify it.

Advertisement - Article continues below

The earliest reference to an alleged breach is 2008, according to the unverified list, with a great deal occurring over the previous five years.

Hunt, who also manages the Have I Been Pwned service, has recommended that people either buy into a dedicated digital password manager or use a notebook and pen to manage all their personal login details. He also railed against password reuse, saying online users need to "avoid that to the fullest extent possible".

His views are reflected by the comments of Malwarebytes' lead malware intelligence analyst Chris Boyd, who suggested the key is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," said Boyd. 

Advertisement - Article continues below

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

Although nowhere near on the same scale as the Collection #1 incident, Reddit suffered a security scare last week after force-resetting the passwords of a large, indeterminate number of its users.

Advertisement - Article continues below

The microblogging platform wouldn't confirm whether this was precautionary, or reactive, but suggested it was done because they detected that users had either employed simple passwords or were engaged in password reuse.

A computer science professor Alan Woodward, meanwhile, previously suggested the best passwords are those which you can't remember, while claiming there is evidence to suggest that using longer phrases are easier to crack.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020