A massive collection containing the exposed data had mostly email addresses and passwords. The discovery, which may be the mother of all data breaches, is a collection of 772,904,991 unique emails and 21,222,975 unique passwords.
Dubbed “Collection #1” by Hunt, it is a set of email addresses and passwords typically consisting of different individual data leaks retrieved from thousands of sources.
Without any clean-up, the collection consists of over 2 billion rows of email addresses and passwords.
Through his blog, Hunt states that there are a total of 1,160,253,228 unique combinations of email addresses and passwords if the latter is treated as case sensitive.
The data breach was brought to Hunt’s attention by multiple people who directed him to the collection on the cloud service MEGA.
The data, estimated to make up more than 87GB, was contained in a folder also named Collection #1, spread across 12,000 separate folders.
The data has since been removed by MEGA, but Hunt discovered a hacking forum where the data was being distributed after he was directed to the site by one of his contacts.
So what next after such a breach? The first important move is to confirm if email addresses and passwords have been compromised.
One can do so by simply visiting Have I Been Pwned (HIBP) and type in your email address or password to see whether at one point or another it was impacted by the breach.
The site, which is maintained by Hunt, has already been updated with data from the Collection #1 breach.
What Are the Risks?
The severity of the breach cannot yet be quantified, but it is a notably serious breach. Hunt alleges that the data was assembled to be utilized for credential stuffing: where a hacker exploits the data to fraudulently gain access to accounts through automated injection.
According to Hunt, some of the email addresses and passwords in the collection are not new.
He states that some of them at present exist in his database and approximates that 140 million email accounts, as well as over 10 million unique passwords, are new to the database.
Fortunately, the breach does not appear to have impacted sensitive data such as social security numbers or credit card credentials.
Regardless, he states that passwords in Collection #1 were not cryptographically hashed but were predominantly in plain text passwords.
This means that the data could be publicly used by anyone—no hacking skills required, increasing the risk exposure.
Furthermore, the data could be accessed for free on the clearnet and not from any dark web marketplace or forum.
More Data Expected from Other Subsequent Collections
According to analysis from security reporter Brian Krebs, Collection #1 is one of seven batches.
The rest are being sold by an individual who calls himself Sanixer on social network Telegram.
The seller also states that the data from Collection #1 is at least two to three years old and that data from the other batches is less than a year old.
For anyone impacted by the breach—notably if their password was found in HIBP’s Pwned Passwords database—they are highly advised to change the password and use a different and unique password for any account affected.
Experts like Hunt discourage the reuse of passwords and recommend using a dedicated password manager to help secure your password for each different account.
Additionally, the use of the two-factor authentication option in your accounts is also a step further to securing them.
However, if you weren’t impacted by the breach, it wouldn’t mean that your data isn’t out there.
One is advised to undertake the same measures to secure your credential and accounts. Data breaches are presently growing in frequency and severity.
The data mostly ends up in the dark web, where it’s auctioned to the highest bidder. It is then used in criminal activities such as phishing, blackmail and other cyberattacks.
Research has shown that there are indicators to look out for in case of a data breach or leak, especially in the dark web.