Over 770 million email addresses shared online in largest data breach in history
The breach is being dubbed ‘Collection #1’ and contains a raw data set of email addresses and passwords totalling 2,692,818,238 rows from potentially thousands of different sources, according to digital security expert Troy Hunt.
New breach: The "Collection #1" credential stuffing list began broadly circulating last week and contains 772,904,991 unique email addresses with plain text passwords (now in Pwned Passwords). 82% of addresses were already in @haveibeenpwned. Read more: https://t.co/BAa3rbgZo4— Have I Been Pwned (@haveibeenpwned) January 16, 2019
In total, there are 1,160,253,228 unique combinations of email addresses and passwords contained within over 12,000 separate files, constituting a truly staggering 87GB of data (for context, this is raw text, not 4K video).Also on rt.com Russian cyber firm hounded in US helped NSA bust 50TB data breach – report
In terms of sheer volume, it is being considered the largest data breach in history, second only to Yahoo's high profile cyber security gaffes which affected billions of users, though it is an aggregate of potentially hundreds if not thousands of breaches.
“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt told WIRED. “There’s no obvious patterns, just maximum exposure.”
Not only am I on the list, I also received a phishing email telling me on of the throw away passwords I used together with that email. So at least in my case I know who got hacked... and who will _NOT_ be receiving a bitcoin ;D— Ruben W. (@ruben_we) January 17, 2019
The breach contains previously encrypted passwords that have been “dehashed” or cracked and converted back to plain text and includes files allegedly from as early as 2008. The information wasn't even for sale but was merely dumped on MEGA and subsequently on a popular hacking forum, free for anyone with scroll and click capabilities to review.
As a result, there is a greatly increased risk of so-called credential-stuffing attacks in which hackers spam websites with various combinations of emails and passwords, including – but not limited to – services like Netflix, Facebook or other social media accounts, and online services. The breach doesn't appear to contain social security or credit card data.
Just received my email. Plain text passwords 😰. I started using @haveibeenpwned and @1Password a while ago because of breaches like this. And so should you. There is @1Password which I recommend, but there are free alt's. Use @haveibeenpwned, you'll see why it's necessary. https://t.co/y2pl7ShWtZ— Rutger Claes (@rutgerclaes) January 17, 2019
Hunt recommends checking your email addresses on the free service provided by Have I Been Pwned.
If you are included in the breach, which is extremely likely, he recommends using a password manager or even going old school and employing *gasp* a pen and paper to store your passwords offline. Hack that!
Email address != person.— Happy Loaf (@Happy_Loaf) January 16, 2019
God job a load of that were automated bots using the variable
“It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web,” Hunt wrote in his blog post on the breach.
A lucky few are claiming to have escaped the breach, but the odds are not in your favor.
Think your friends would be interested? Share this story!