A record-breaking collection of almost 800 million unique email addresses were found being leaked online by Australian cybersecurity and data breach expert, Troy Hunt. Hunt reported on the data dump – which he termed “Collection #1 – mid-January through his personal website and broke down the combination of files from the initial list of over 2.6 billion rows. The 772 million email addresses were accompanied by over 21 million unique passwords after Hunt cleaned up the data fields.
The files were found by Hunt on the cloud storage service, MEGA, after several sources called his attention to its existence. A serious concern highlighted by Hunt in his reporting is that the existence of the combinations within this data indicate that it was collected for the purpose of leveraging “credential stuffing” attacks. Credential stuffing is a form of brute force attack that utilizes automated injections of leaked login information to attempt to gain access to a matching account.
Not long after Hunt published his findings, cybercrime reporter Brian Krebs followed up on the story and found that Collection #1 was actually part of a much bigger trove of hacked information that could be several years old. The entire set of email and password combination data has been advertised for sale since at least October 2018 by a Telegram user named “Sanixer.” Collection #1 was one many such folders being sold online by Sanixer, who indicated directly to Krebs that it was lower value option given that the data had already been advertised previously in different places.
The Real Danger of Collection #1
Many of the credentials featured in Collection #1 had already been shopped around by Russian hackers on the Dark Web, according to Krebs’ sources. As the data is older, it does not present an immediate danger to most users – unless any versions of the passwords collected are still being used. Being the largest recorded collection of email and password combinations available for sale, it does provide an opportunity for less sophisticated hackers to take advantage of.
Learn Network Security Best Practices to Avoid a Data Breach
Your organization’s employees are your first and last line of defense – every individual is a walking digital touchpoint that provides as many entryways as devices they use to access your network. Leaked passwords and email addresses are one of many ways they can be hacked and exploited as a channel into your business’s valuable data. It is good practice to change your passwords periodically, if this data breach is not warning enough, you should probably take the time update your password if you have not done so recently.
Read our guide on gaining employee buy-in on cybersecurity practices to learn how to ensure you’re your organization stays protected from the bottom up.