The first big data breach story of 2019 has broken, and it’s a whopper: 772 million email addresses and 22 million unique passwords have been found in a public cache called Collection #1.
The discovery was revealed on Wednesday by Troy Hunt, cyber researcher and regional director at Microsoft.
Hunt, who loads compromised email addresses into the Have I Been Pwned (HIBP) database, calls it “the single largest breach ever to be loaded into HIBP.”
In that batch were “140 million email addresses that HIBP had never seen before,” he adds.
Hunt continues: “The data was also in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum. In terms of the risk this presents, more people with the data obviously increases the likelihood that it'll be used for malicious purposes.”
They're there for the taking by any digital pack rat that wants to use them.
Even more staggering to the layperson is the number of unique combinations of email addresses and passwords: 1,160,253,228. These occur when the password is treated as case sensitive “but the email address is not case sensitive,” Hunt writes.
Collection #1 is “a set of email addresses and passwords totaling 2,692,818,238 rows,” he continues. “It's made up of many different individual data breaches from literally thousands of different sources.”
The cache appears to go back to 2008.
Hunt has also loaded the passwords into Pwned Passwords. Half of them were not already there.
Ultimately, the danger is that the email addresses and passwords can be “compiled into list which can be used for credential stuffing.”
Hunt apparently has sent emails to the addresses in the cache, warning them of their exposure.
“I woke up this morning to find an email from the Troy Hunt 'have i been pwned?' account compromise alert site,” Davey Winder writes on Forbes.
Hunt advises potential victims to get a password manager.