Over 770 million email addresses shared online in largest data breach in history

17 Jan, 2019 13:14 / Updated 6 years ago

A security researcher has blown the lid off the largest data breach in history as over 770 million emails and 21 million unique passwords have been exposed, eclipsing the Equifax and Yahoo hacks by a significant margin.

The breach is being dubbed ‘Collection #1’ and contains a raw data set of email addresses and passwords totalling 2,692,818,238 rows from potentially thousands of different sources, according to digital security expert Troy Hunt.

In total, there are 1,160,253,228 unique combinations of email addresses and passwords contained within over 12,000 separate files, constituting a truly staggering 87GB of data (for context, this is raw text, not 4K video).

Also on rt.com Russian cyber firm hounded in US helped NSA bust 50TB data breach – report

In terms of sheer volume, it is being considered the largest data breach in history, second only to Yahoo's high profile cyber security gaffes which affected billions of users, though it is an aggregate of potentially hundreds if not thousands of breaches.

“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt told WIRED. “There’s no obvious patterns, just maximum exposure.”

The breach contains previously encrypted passwords that have been “dehashed” or cracked and converted back to plain text and includes files allegedly from as early as 2008. The information wasn't even for sale but was merely dumped on MEGA and subsequently on a popular hacking forum, free for anyone with scroll and click capabilities to review.  

As a result, there is a greatly increased risk of so-called credential-stuffing attacks in which hackers spam websites with various combinations of emails and passwords, including – but not limited to – services like Netflix, Facebook or other social media accounts, and online services. The breach doesn't appear to contain social security or credit card data.

Hunt recommends checking your email addresses on the free service provided by Have I Been Pwned.

If you are included in the breach, which is extremely likely, he recommends using a password manager or even going old school and employing *gasp* a pen and paper to store your passwords offline. Hack that!

“It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web,” Hunt wrote in his blog post on the breach.

A lucky few are claiming to have escaped the breach, but the odds are not in your favor.

Think your friends would be interested? Share this story!