Massive data breach affects 773 million e-mail addresses, passwords

More than 770 million e-mail addresses have been discovered in a database allegedly used by hackers, a security researcher has revealed.

Cybersecurity expert Troy Hunt said a list of more than 2.6 billion records containing around 773 million unique e-mail addresses and more than 21 million unique passwords was being shared on a “popular hacking forum”.

Hunt said his initial analysis of the data, which has been dubbed Collection #1, found it had been compiled from more than 2 000 different data breaches and hacked databases or websites, confirming some of his own personal information had also appeared in the lists.

The database did not appear to contain any more sensitive information — such personal finance information and credit card details, he said.

Hunt claimed his research on the list suggested around 140 million of the e-mail addresses had not appeared in previous breaches and were therefore newly exposed details.

He warned the lists could be used by hackers to carry out “credential stuffing” attacks, where hackers take lists of usernames and passwords and enter them on a range of other platforms to try and force access to different user accounts.

“In other words, people take lists like these that contain our e-mail addresses and passwords then they attempt to see where else they work,” he said.

‘Serious problem’

“The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because it’s subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”

The security expert called on people to check the website Have I Been Pwned, a data breach monitoring website which can tell users if any e-mail address they use has ever been compromised in a hack, and to change any passwords linked to exposed accounts.

“If you’re reusing the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on two-factor authentication wherever it’s available,” he said.

The database and its contents — though mostly a collection of data from other incidents — could be considered one of the largest data breaches ever, exceeding the 500 million accounts affected by a Marriott breach that was confirmed in December, but far less than the three billion accounts hit by a breach on Yahoo in 2013.