773m email addresses, 21m passwords leaked in massive data breach

One of the biggest data breaches in history, involving some 773m records, has been exposed by Troy Hunt, who runs the Have I Been Pwned breach-notification service. Hunt has named the incident Collection #1.

In a blog post, Hunt said that Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 (2.69bn) rows, made up of many different individual data breaches from thousands of different sources.

In total, it includes 1,160,253,228 unique combinations of email addresses and passwords, resolving down to 772,904,991 unique email addresses and 21,222,975 unique passwords.

The data dump was hosted on the cloud service, Mega, but has since been removed from the service. It consisted of over 12,000 separate files and more than 87GB of data.

In the blog post Hunt said the data is “made up of many different individual data breaches from literally thousands of different sources”.

Hunt said that the email/password combinatiosn would most likely be used for “credential stuffing” where fraudsters take a known combination of email address and password and use them to try to gain access to user accounts across the web.

“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services,” Hunt wrote. “Perhaps your personal data is on this list because you signed up to a forum many years ago youve long since forgotten about, but because its subsequently been breached and youve been using that same password all over the place, youve got a serious problem.”