Massive Collection #1 leak exposes 773m unique records online

Gargantuan 87GB trove of email addresses and passwords was sourced from thousands of separate data breaches

The word password among code

Nearly 2.7 billion records containing up to 800 million unique email addresses and more than 21 million unique passwords have been compromised and published online.

The massive data leak, dubbed Collection #1, is made up of individual breaches from "literally thousands of different sources", according to security researcher Troy Hunt, who announced his findings in a blog post.

The data being shared on hacking forums comprises is email addresses and passwords totalling 2.69 billion rows of data, with a total of 1.16 billion unique combinations of email addresses and passwords.

This collection exceeds 87GB in size and contains 12,000 individual files. It represents one of the biggest, if not the biggest, exposures of personal data in history.

This 1.16 billion figure was determined by filtering passwords as case sensitives, and email addresses as not case sensitive, according to Hunt, who says the leaked data can be used for 'credential stuffing' attacks. 

In all, Hunt determined the data contained 773 million unique email addresses, and 21 million unique passwords.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Hunt said. "The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

After being alerted to Collection #1, Hunt was then pointed in the direction of a popular hacking forum on which members were discussing the trove of data. He assigned this breach 'Collection #1' as it was the name prescribed to the root folder in an image being circulated on these forums.

The researcher also reproduced a list of sites included in this data breach, after it appeared on the hacking forum, totalling 2,890 file names, but warned it wasn't necessarily complete and that he hasn't been able to verify it.

The earliest reference to an alleged breach is 2008, according to the unverified list, with a great deal occurring over the previous five years.

Hunt, who also manages the Have I Been Pwned service, has recommended that people either buy into a dedicated digital password manager or use a notebook and pen to manage all their personal login details. He also railed against password reuse, saying online users need to "avoid that to the fullest extent possible".

His views are reflected by the comments of Malwarebytes' lead malware intelligence analyst Chris Boyd, who suggested the key is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," said Boyd. 

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

Although nowhere near on the same scale as the Collection #1 incident, Reddit suffered a security scare last week after force-resetting the passwords of a large, indeterminate number of its users.

The microblogging platform wouldn't confirm whether this was precautionary, or reactive, but suggested it was done because they detected that users had either employed simple passwords or were engaged in password reuse.

A computer science professor Alan Woodward, meanwhile, previously suggested the best passwords are those which you can't remember, while claiming there is evidence to suggest that using longer phrases are easier to crack.

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Ryuk behind a third of all ransomware attacks in 2020
Security

Ryuk behind a third of all ransomware attacks in 2020

29 Oct 2020
REvil hacking group says it has made more than $100m in a year
Security

REvil hacking group says it has made more than $100m in a year

29 Oct 2020
36 billion personal records exposed by hacks in 2020 so far
Security

36 billion personal records exposed by hacks in 2020 so far

29 Oct 2020
Trump website defaced in second successive cyber breach
Security

Trump website defaced in second successive cyber breach

28 Oct 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020