A massive data leak has been uncovered today and the number of login credentials exposed may be the highest to ever be discovered. The discovery, dubbed "Collection #1" was made by security researcher Troy Hunt, and its impact is very widespread.
The data comes from a set of files found on a MEGA cloud account, in a folder by the name "Collection #1" which amounts to over 87GB of data, though the files have since been pulled. The files were being discussed on a hacking forum, so it's likely that a few people got their hands on this information before it was removed.
The data was scattered through multiple files referring to different websites where it was pulled from, which could be as many as 2,890. The alleged list of directories included in the breach has been replicated on Pastebin, so you can get a sense of where the data is coming from.
The scale of the breach is tremendous - Hunt says that, after some cleanup of the raw data files, there were over one billion unique combinations of e-mail addresses and passwords. This includes almost 773 million unique e-mails and over 21 million unique passwords. That last number refers to plain-text passwords, as Hunt mentions that he excluded password in hashed form. Though a thorough cleanup would be impossible, the accuracy of the numbers should be over 99%.
Hunt, who maintains the Have I been pwned? (HIBP) website, has entered all of that data into the service, so if you'd like to see if your e-mail addresses and password have been exposed, you can do so now, though the service doesn't tell you which breach they're included in. Of the e-mail addresses loaded onto HIBP, 140 million had never been on the database before, and about half of the 21 million exposed passwords are also new, so there's a good chance you've been affected.
There have been many security breaches and data leaks through the years, but the scale of this one is almost unmatched. A couple of years ago, Yahoo admitted to potentially exposing data for over one billion users, which might be the closest comparison we have.
Obviously, it's highly recommended that you change your password if it's been exposed. Hunt also recommends using a password manager and enabling two-factor authentication where possible.
Source: Troy Hunt
39 Comments - Add comment