Someone has compiled a massive collection of email addresses and plain text passwords, apparently from 2000+ hacked databases, and has made the trove freely available for download via the MEGA cloud storage service.
The set – dubbed Collection #1 – also ended on a popular hacking forum after it was removed from MEGA.
Is your email address or password included in the set?
Troy Hunt, the security researcher known for his Have I Been Pwned? service, has gotten his hands on the data set and has cleaned it up to reveal that it contains:
- 2,692,818,238 rows
- 1,160,253,228 unique combinations of email addresses and passwords
- 772,904,991 unique email addresses
- 21,222,975 unique passwords.
He has added the 772+ thousand email addresses in the HIBP service, so that users can check whether theirs are among them.
They can also take advantage of the Pwned Passwords service to check whether any of the passwords they use in conjunction with their email addresses (e.g., for signing up to some online account) have been exposed in this or other data breaches. The service doesn’t store the searched passwords and protects their privacy.
The origin of the data and the potential for misuse
The Collection #1 data set came in the form of over 12,000 separate files and more than 87GB of data.
As noted before, the data seems to come from many different sources.
The set contains only plain text passwords, making it ideal for credential stuffing attacks.
“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work,” Hunt explains.
“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”
Advice for users and online businesses
Hunt and other security experts advise users to start using password managers, which make it easy to “remember” a great number of unique, strong passwords.
Jake Moore, cyber security expert at ESET UK, notes that there has never been a better time to change your password.
“Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, well they are incredibly safer to use than reusing the same three passwords for all your sites,” he commented for Help Net Security.
Enabling two-factor authentication wherever possible – or, at least, for the most important accounts – is also a good idea.
Rami Essaid, co-founder of bot mitigation company Distil Networks, also pointed out that massive data breaches like Collection #1 create huge spikes in bot traffic on the login screens of websites and that any online business that has a user login web page is at risk of becoming the next breach headline.
“Password dumps create a ripple effect of organizations spending precious time and resources on damage control. The massive spike in failed logins, then the access into someone else’s account before the hacker changes the password, then the account lock-out for the real user, then the customer service calls to regain access to their account. All because a username and password was stolen from a different website,” he explained.”
“While it’s important that individual web users have strong, secure logins, the onus is on the businesses to detect and block malicious bot traffic before large-scale password hacks can occur.”