More than 770 million email addresses and usernames and 20 million passwords have been compromised as part of the “single largest breach” that Australian cybersecurity expert Troy Hunt has ever seen.
Hunt revealed the huge data dump on his website, Have I Been Pwned, late last week after finding Collection #1 – a 87GB collection of email addresses and hashed and plaintext passwords – on popular cloud service MEGA.
The files include nearly 773 million unique email addresses and more than 21 million unique passwords, making it the “single largest breach ever to be loaded into Have I Been Pwned”.
Have I Been Pwned is a wesbsite where you can type in your email address to see if any of your email addresses been compromised in a breach.
Hunt said that the data was being discussed on a popular hacking forum, increasing the risk that it has been accessed by potential hackers.
“The data was in broad circulation based on the number of people that contacted me privately about it and the fact that it was published to a well-known public forum,” Hunt wrote on his website.
“In terms of the risk this presents, more people with the data obviously increases the likelihood that it’ll be used for malicious purposes.”
Hunt’s own information was included in the huge data breach.
“My own personal data is in there and it’s accurate; right email address and a password I used many years ago,” he said.
“Like many of you reading this, I’ve been in multiple data breaches before which have resulted in my email addresses and, yes, my passwords, circulating in public. I still feel the same sense of dismay that many people reading this will when I see them pop up again.”
The collection appears to be made up of a collation of past data breaches, and could be used for “credential stuffing” - a hacking technique where a list of known usernames and passwords are automatically used on different platforms.
While the Have I Been Pwned platform does not store passwords that are included in breaches, you can use the service to check if your email was included in the latest breach. The accompanying Pwned Passwords service can be used to see how many times your password has been included in a breach.
“Whilst I can’t tell you precisely what password was against your own record in the breach, I can tell you if any password you’re interested in has appeared in previous breaches Pwned Passwords has indexed,” Hunt said.
“If one of yours shows up there, you really want to stop using it on any service you care about.”
The Australian Cyber Security Centre issued a warning about the breach last week, advising Australians to use a strong password that isn’t reused across sites, to change their passwords if it is used multiple times, and to use multi-factor authentication for an added layer of security.
These recommendations reiterated those from Hunt, who also advised people to use a password manager to act as a “secure vault for passwords to be stored”.
“My hope is that for many, this will be the prompt they need to make an important change to their online security posture,” Hunt said.
“And if you find yourself in this data and don’t feel there’s any value in knowing about it, ignore it. For everyone else, let’s move on and establish the risk this presents then talk about fixes.”