Hundreds of millions of email addresses exposed in data breach
More than 770 million email addresses, as well as millions of passwords, have been leaked online after being posted to a hacker's forum.
The trove of data, known as Collection-1, does not come from a single source, but rather appears to be a collated database that includes credentials pulled from multiple previous breaches.
It was first reported by security researcher Troy Hunt, who said that in total, there were over a billion unique combinations of addresses and passwords in the document, which included 772,904,991 unique email addresses and 21,222,975 unique passwords.
He told Wired that there is no obvious pattern to the data, which claims to have been drawn from more than 2,000 breached databases, but rather the goal is to generate the most potential for hackers using brute force attacks.
"It just looks like a completely random collection of sites purely to maximise the number of credentials available to hackers," he said.
The list appears to have been intended for use in 'credential stuffing' attacks, where hackers use automated programs to test out many email and passwords on a service until they find a valid login combination.
People who reuse the same email and password combinations across multiple sites are particularly vulnerable to this type of attack, as it may only take one service suffering a data breach to potentially expose many of their logins.
In many cases, individuals may not realise how easy it can be to access such gain access to older credentials and reuse them.
"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem," Mr Hunt said.
He also noted it is concerning that there are so many plain text passwords included in the database, which suggests many businesses are still not doing enough to protect the sensitive data they have on customers by undertaking basic measures such as password hashes, which ensures that even if databases are breached, hackers will find it very difficult to use any password data they acquire.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.