More than 770 million email addresses and 22 million unique passwords have been found online by information security researcher Troy Hunt, proprietor of the infosec website, Have I Been Pwned.
Possibly the Largest Data Breach Ever
The data file with all of the email addresses and passwords has been uploaded to Have I Been Pwned for people to check to see if they are affected by the breach.
As of now, it's unclear who originally uploaded the data or where the breach originated. The data dump, found on a “popular hacker forum”, contains 2,692,818,238 rows of data, collated from thousands of sources.
After Hunt cleaned up the data dump—“hackers being hackers, they don't always neatly format their data dumps into an easily consumable fashion,” says Hunt—he found that there were 772,904,991 unique email addresses in the file, along with 21,222,975 unique plain text passwords.
Where Was This Data Dumped
According to Hunt, he was directed to MEGA, a popular cloud platform, that contained a massive amount of data spread over 12,000 different files, under the directory heading “Collection #I”, which he has named this breach. The files amount to more than 87GB of data which were being shared on the “popular hacking forum” mentioned earlier.
The sources allegedly referred to by the data files may or may not have been targets of earlier breaches, Hunt says, but he does confirm that his own data is among the email addresses and passwords being shared.
“Like many of you reading this,” Hunt writes in the blog post announcing the breach, “I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again.”
How to Check if Your Information has Been Shared
Hunt has uploaded all of the data in a secure fashion to his site so visitors can check if they have been affected by the breach, which many of you reading this will be.
“About 2.2M people presently use the free notification service [offered by Have I Been Pwned] and 768k of them are in this breach,” according to Hunt, so its safe to say that one out of three readers of this article will likely be affected, if not more.
What’s more, Have I Been Pwned has a searchable database of compromised passwords that users of Hunt’s site can use to see if their passwords have been compromised in a breach. According to Hunt, half of the passwords in Collection #I are not already in the database, meaning they have only just been compromised.
Hunt is emphatic in his warning to the public, “If - like me - you're in that list, people who are intent on breaking into your online accounts are circulating it between themselves and looking to take advantage of any shortcuts you may be taking with your online security. My hope is that for many, this will be the prompt they need to make an important change to their online security posture.”