More than 770 million email addresses found in 'largest' data breach

More than 770 million email addresses found in 'largest' data breach

A man types into a keyboard during the Def Con hacker convention in Las Vegas
A man uses a keyboard. (File photo: Reuters/Steve Marcus)

SINGAPORE: Internet security researcher Troy Hunt on Thursday (Jan 17) said he has discovered the largest collection of breached data, comprising more than 770 million unique email addresses and more than 21 million unique passwords.

The data, called Collection #1 and collated by Hunt, is made up of individual data breaches from more than 2,000 databases, instead of representing a single, easily identifiable service. 

He added that his data set presented 140 million email addresses that were not part of a single large data breach.

READ: Facebook now says data breach affected 29 million users, details impact

Hunt, who runs the breach notification service Have I Been Pwned (HIBP), found that 772,904,991 unique email addresses had been loaded into the website after he had cleaned his data set.

"This number makes it the single largest breach ever to be loaded into HIBP," Hunt said in a blog post.

Similarly, 21,222,975 unique passwords were also uploaded onto the website. 

have i been pwned
Screengrab of the Have I Been Pwned website where users can check if they have an online account that has been compromised. 


The implication of having breached data, according to Hunt, is that it can be used for credential stuffing - an act of using a combination of various email addresses and passwords pairs to gain fraudulent access to a user's account.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," he said. 

"The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. 

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

READ: Quora hit by security breach, 100 million users affected

As a security measure, Hunt suggested the use of password managers to keep valuable information safe and secure. He noted that these password managers could be digital or old-school - jotting down the information in a notebook.

“It is quite a feat not to have had an email address or other personal information breached over the past decade,” said Jake Moore, a cybersecurity expert at ESET UK, as reported by the Guardian.

“If you’re one of those people who think it won’t happen to you, then it probably already has."

To check if your email address(es) has been affected by this data breach, visit the Have I Been Pwned site. You will need to sign up as a member to get access to the full information. 

READ: Cathay Pacific flags data breach affecting up to 9.4m passengers

Source: CNA/aa(rw)