773 Million Email Addresses and 21 Million Exclusive Passwords Listed for Sale

January 20, 2019


A huge collection of login identifications that includes roughly 773 million electronic mail addresses has been exposed by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and maintains the Have I Been Pwned (HIBP) website, where people can check to see whether their login identifications have been stolen in a data breach.

Hunt discovered the 87GB database on a popular hacking forum. The data was spread through 2,692,818,238 rows and had a total of 1,160,253,228 exclusive combinations of email addresses and passwords, organized into 12,000 files hosted in a root folder named Collection #1 on the Mega cloud service. The data has since been removed from Mega, but it is still promoted for sale on hacking forums.

Hunt deduplicated the database, which decreased the number of exclusive email addresses to 773 million and the files were found to contain 21 million exclusive passwords. The dataset has now been uploaded to the HIBP website so users can check to see if their identifications have been compromised. This is the biggest collection of data that has been uploaded to the site.

The data seems to come from thousands of separate data breaches, a lot of which have earlier been identified and uploaded to the HIBP website; however, about 140 million of the email addresses and about half of the passwords have not earlier been uploaded to the HIBP website and seem to have come from unknown breaches. Hunt believes the data comes from about 2,000 separate breaches, with most of the data relating to breaches between 2008 and 2015.

HIBP has a notification facility that alerts people if their identifications have been discovered. About 2.2 million people have signed up for the facility, and 768,000 of them are now being emailed as their identifications have been found in the new data set.

Hunt notes that the data has been gathered over a long period of time and had been publicized for sale for some time before his discovery, so it is likely that the data is in the hands of a number of individuals and will be used for malevolent purposes such as phishing and credential stuffing attacks.

For most people, the compromised password will be old, so it is likely that it will have already been altered. People who seldom change their passwords must definitely do so now if their email address is present in the database.

When altering a password, consider adding 2-factor verification to the account as an additional defense in case your credentials are compromised in another data breach in the future. It will help to make sure that your account cannot be easily accessed by unauthorized people.