Massive Collection #1 leak exposes 773m unique records online

Password is seen in a maginfying glass written in green text while surrounded by binary code written in blue text
(Image credit: Shutterstock)

Nearly 2.7 billion records containing up to 800 million unique email addresses and more than 21 million unique passwords have been compromised and published online.

The massive data leak, dubbed Collection #1, is made up of individual breaches from "literally thousands of different sources", according to security researcher Troy Hunt, who announced his findings in a blog post.

The data being shared on hacking forums comprises is email addresses and passwords totalling 2.69 billion rows of data, with a total of 1.16 billion unique combinations of email addresses and passwords.

This collection exceeds 87GB in size and contains 12,000 individual files. It represents one of the biggest, if not the biggest, exposures of personal data in history.

This 1.16 billion figure was determined by filtering passwords as case sensitives, and email addresses as not case sensitive, according to Hunt, who says the leaked data can be used for 'credential stuffing' attacks.

In all, Hunt determined the data contained 773 million unique email addresses, and 21 million unique passwords.

"People take lists like these that contain our email addresses and passwords then they attempt to see where else they work," Hunt said. "The success of this approach is predicated on the fact that people reuse the same credentials on multiple services.

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

After being alerted to Collection #1, Hunt was then pointed in the direction of a popular hacking forum on which members were discussing the trove of data. He assigned this breach 'Collection #1' as it was the name prescribed to the root folder in an image being circulated on these forums.

The researcher also reproduced a list of sites included in this data breach, after it appeared on the hacking forum, totalling 2,890 file names, but warned it wasn't necessarily complete and that he hasn't been able to verify it.

The earliest reference to an alleged breach is 2008, according to the unverified list, with a great deal occurring over the previous five years.

Hunt, who also manages the Have I Been Pwned service, has recommended that people either buy into a dedicated digital password manager or use a notebook and pen to manage all their personal login details. He also railed against password reuse, saying online users need to "avoid that to the fullest extent possible".

His views are reflected by the comments of Malwarebytes' lead malware intelligence analyst Chris Boyd, who suggested the key is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," said Boyd.

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

Although nowhere near on the same scale as the Collection #1 incident, Reddit suffered a security scare last week after force-resetting the passwords of a large, indeterminate number of its users.

The microblogging platform wouldn't confirm whether this was precautionary, or reactive, but suggested it was done because they detected that users had either employed simple passwords or were engaged in password reuse.

A computer science professor Alan Woodward, meanwhile, previously suggested the best passwords are those which you can't remember, while claiming there is evidence to suggest that using longer phrases are easier to crack.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.