The largest collection of broken data ever has been discovered, including more than 770 email addresses and passwords posted at a popular hacking forum in mid-December.
The 87-GB data warehouse was discovered by security researcher Troy Hunt, who runs the breach notification service. Hunt, who called the "Collection # 1" upload, said he was probably "composed of many individual data violations from thousands of different sources," rather than representing a single hack of a very large service.
However, the work of combining future violations has led to a huge collection. "In total, there are 1,160,253,228 unique combinations of email addresses and passwords," Hunt writes, and "21,222,975 unique passwords." While most e-mail addresses occurred in previously uncovered violations being shared between hackers, such as 360m hacked MySpace accounts in 2008 or 164m LinkedIn accounts hacked in 2016, the researcher says "there is somewhere in the order of e-mail addresses -mail 140m in this violation that HIBP has never seen before. "These email addresses could come from a violation of high undeclared data, many others, or a combination of the two.
Security experts say discovery of collection # 1 highlights the need for users to use passwords administrators, such as 1Password or LastPass, to store a random, unique password for each service they use. "She is quite a little girl not to have had an email address or other personal information infringed over the last decade," says Jake Moore, an IT security expert at ESET UK.
"If you are one of those people who think it will not happen to you, then it probably has already been." Password management applications are now widely accepted and are much easier to integrate into other platforms than before, helps you generate a completely random password for all your different sites and applications, and if you ask for a password manager's security, they are incredibly safe to use than reusing the same three passwords for all your sites. "
Hunt warns that the primary use for such a data set is "credential stuffing", which takes advantage of the exact password re-use of password managers to prevent. "People take lists like those that contain our email addresses and passwords, then try to see where else they are working.
"The success of this approach is based on the fact that people re-use the same credentials across multiple services. Maybe your personal data is on this list because you signed up for a forum many years ago that you forgot much, but because it was later violated and you used the same password everywhere, a serious problem. "