A dump called “Collection #1” has been released by parties unknown, containing email addresses and cracked passwords: in its raw form, it contains 2.7 billion records, which Troy “Have I Been Pwned” Hunt (previously) de-duplicated to come up with 773 million unique records — of those 140,000,000 email addresses and 10,000,000 passwords have never been seen in the HaveIBeenPwned database before.
Collection #1 appears to have been created by cracking lots of online services of every size and description and subjecting their passwords to guessing programs that undid the hashing of millions and millions of them. It’s the kind of database that is of great use to “credential stuffers” who just throw known-good login/password combinations at services they want to attack until they get in.
The dump is on “a popular hacking forum” (having previously been available on Mega, the cloud service). It’s a folder with 12,000 files totalling 87GB.
Hunt has ingested this dump into the Have I Been Pwned? database, and you can search it to see if your credentials appear in it.
Pretty darn serious! While it doesn’t appear to include more sensitive information, like credit card or Social Security numbers, Collection #1 is historic for scale alone. A few elements also make it especially unnerving. First, around 140 million email accounts and over 10 million unique passwords in Collection #1 are new to Hunt’s database, meaning they’re not just duplicates from prior megabreaches.
Then there’s the way in which those passwords are saved in Collection #1. “These are all plain text passwords; if we take a breach like Dropbox, there may have been 68 million unique email addresses in there but the passwords were cryptographically hashes making them very difficult to use,” says Hunt. Instead, the only technical prowess someone with access to the folders needs to break into your accounts is the ability to scroll and click.
Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach [Brian Barrett/Wired]
(Image: Cjp24, CC-BY-SA)