773 Million Record "Collection #1" Data Breach

[Spotty]

Source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Source: https://haveibeenpwned.com/

 

Haveibeenpwned is reporting the largest data breach they've listed, with over 770 million unique email addresses breached. The breach is known as "Collection #1" and was allegedly discovered on a popular hacking website and uploaded to Mega. The list is a compilation of breached email addresses along with multiple different passwords used on thousands of different websites. The collection of emails and passwords is over 87GB in size.
 

Quote

In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

_{Source: https://haveibeenpwned.com/}

Key points:

Quote

Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources.

In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive.

The unique email addresses totalled 772,904,991...  This number makes it the single largest breach ever to be loaded into HIBP.

There are 21,222,975 unique passwords.
 

_{Source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/}

 

Quote

Data Origins

Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totalled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialised, complete with the following image:

As you can see at the top left of the image, the root folder is called "Collection #1" hence the name I've given this breach. The expanded folders and file listing give you a bit of a sense of the nature of the data (I'll come back to the word "combo" later), and as you can see, it's (allegedly) from many different sources. The post on the forum referenced "a collection of 2000+ dehashed databases and Combos stored by topic" and provided a directory listing of 2,890 of the files which I've reproduced here. This gives you a sense of the origins of the data but again, I need to stress "allegedly". I've written before about what's involved in verifying data breaches and it's often a non-trivial exercise. Whilst there are many legitimate breaches that I recognise in that list, that's the extent of my verification efforts and it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all.

However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public. Fortunately, only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. They're also ones that were stored as cryptographic hashes in the source data breaches (at least the ones that I've personally seen and verified), but per the quoted sentence above, the data contains "dehashed" passwords which have been cracked and converted back to plain text. (There's an entirely different technical discussion about what makes a good hashing algorithm and why the likes of salted SHA1 is as good as useless.) In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see.

_{Source: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/}

Another day, another data breach. Don't really have much thoughts on this but felt it should get some attention due to the size. If you're concerned if any your accounts have been compromised you can go to http://haveibeenpwned.com to check your email address.

[Spotty]

Post reserved for when "Collection #2" drops

/s

 

Update 30/1/2019:

Collection #2 has been documented. 

Thanks to @rcmaehl for posting

Edited January 31, 2019 by Spotty

[Fnige]

HOLY $H!T - A huge breach has happened, Have you been affected?

[BobVonBob]

That's a data breach and a half, ouch.

[TempestCatto]

How the fuck does this shit happen? Like, legit. That's a fuck ton of websites. Do they all share the same provider or something? There's so much to scroll through, I honestly wonder if I'm affected..

[Imbellis]

My two "trash emails" That I use for every website that makes me create an account have been pwnd 2 and 3 times respectively.

 

At least my personal email - the only important one - is left unscathed

[Drak3]

Just now, Imbellis said:

My two "trash emails" That I use for every website that makes me create an account have been pwnd 2 and 3 times respectively.

 

At least my personal email is left unscathed.

I have 5.

 

All on meaningless sites.

[captain_to_fire]

Jesus Christ! This is from my Outlook account.

[TempestCatto]

15 minutes ago, captain_to_fire said:

Jesus Christ! This is from my Outlook account.

Holy fuck. Strangely, I haven't seen that on my mine yet. I wonder if I will?

[captain_to_fire]

3 minutes ago, TempestCatto said:

Holy fuck. Strangely, I haven't seen that on my mine yet. I wonder if I will?

It looks like it's only my outlook email address that was being posted everywhere. I checked my password and it's not yet breached. No wonder I've been receiving a lot of spam emails claiming that my PayPal payment is overdue or that there's a problem processing my Apple ID. What's worse is that it seems to find ways to bypass Outlook's spam filters and manages to reach my Inbox.

[Spotty]

37 minutes ago, captain_to_fire said:

Jesus Christ! This is from my Outlook account.

Only 2 breaches? Those are rookie numbers. This is one of my old Live accounts.

 

 

Thankfully that email address is non-essential and is used just for crap that I don't want to give my personal email address to. Already knew about the others and passwords have been changed multiple times since, but looks like this new Collection #1 is there as well so I may as well just retire the email address and make a couple of new addresses for crappy sites I don't care about. Would be curious to see which website(s) were breached in Collection #1 that are using that email address. Time to scroll through the 2000+ websites in the collection to see if I recognise any.

[XR6]

luckily none of my emails have been breached. my password has been pwned before but i don't want to change it. it's way too memorable and i'm so used to typing it out.

[bcredeur97]

I love this site. it's great. almost everytime someone gets hacked and I put their email address in this website it 99% of the time shows them something they had no idea about.

[Arika]

goddamn it, my main email address was in collection #1.....time to change all my goddamn passwords AGAIN

[Spotty]

12 minutes ago, valdyrgramr said:

Apparently, my primary gmail got that too.  However, the current password isn't pwned nor are any of the ones I mainly use for other sites.  So, I guess I'm fine?

Could be an older password they got. No idea how old the data in this collection - or any of the other breaches - actually is. This is why it's strongly recommended to change passwords on a regular basis.

If your primary account has been listed, then expect it to be picked up by spammers/scammers fairly soon if it hasn't already. Once that happens I ditch an account immediately. Thankfully one of my primary email accounts made almost 10 years ago hasn't been picked up anywhere and I've never received spam or phishing emails to that account. That above @Live account with half a dozen breaches on the other hand gets dozens of spam emails and phishing attempts daily. Microsoft/Live is absolutely completely useless at filtering out any spam. The only time I log in to check that account these days is if I'm moving a service away from that email address and I need to confirm via an email. Ironically those email change or password change confirmation emails often end up in the spam folder but the "Do you want to make your dick bigger" spam does not.

[PlayStation 2]

I'm shocked that my professional email and normal email addresses haven't been breached.

Too bad I can't say the same for my YouTube account's email; that data was breached all the way back in 2016, apparently.

[Spotty]

Just now, valdyrgramr said:

I think it's only pwned passwords that need to be changed.

Just because it hasn't been reported to haveibeenpwned, does not mean it's secure.
It's still good practice to change passwords on a regular basis, and events like this are a good motivator/reminder to people to update their passwords. Also be sure not to use the same password across multiple services. Password managers such as LastPass can help you keep track of passwords across multiple sites.

[Arika]

7 minutes ago, valdyrgramr said:

Use the password pwn thing.  Only those ones need to be changed.

aren't the others listed separately to the collection #1 their own breaches? collection #1 is "thousands of websites"

 

though the listing on my email is currently "unverified"

[Fasterthannothing]

Just a friendly reminder this is why you use two factor authentication on everything. Also try not to have app or sms based ones those are compromised. Only use USB keys if you can otherwise then use app based then last resort use sms (sms is better than nothing at all but still crappy).

[Spotty]

Well, just skimmed through the pastebin list of websites affected twice and I can't see any websites that I recognise or might have used. Each website listing has a date next to it, presumably when the data was harvested. Looks like the vast majority was collected between 2017 to June 2018.

[CarlBar]

My status is the same it's been for a while, 3 breaches, all related to services i've used on email but green PW's. probably because you won't find mine in any password dictionary. 

[mxk]

It's telling me something I know...

[Guest]

2 hours ago, captain_to_fire said:

Jesus Christ! This is from my Outlook account.

 

Very cute!

 

[mxk]

Just now, RorzNZ said:

Very cute!

 

yo holy shit I only had 3 breaches at the most

[Guest]

Just now, mxk. said:

yo holy shit I only had 3 breaches at the most

Its all good I don't use it anymore. Someone used it to send spam to my contacts in 2014 and I shut it down. Nothing I can do about it, as they didn't login and it was spoofed.