Huge data breach reveals hundreds of millions of emails and passwords from across the internet

Logins were made easily available for anyone to download

Andrew Griffin@_andrew_griffin
Thursday 17 January 2019 10:41
Huge data breach reveals hundreds of millions of emails and passwords from across the internet

Hundreds of millions of email addresses and passwords have been posted online for anyone to download.

Nearly 800 million logins are in the huge dump which contains information from thousands of data breaches.

The stolen details are likely to be in use for years as hackers attempt to take over affected users accounts.

Cybersecurity expert Troy Hunt said a list of more than 2.6 billion records containing around 773 million unique email addresses and more than 21 million unique passwords was being shared on a "popular hacking forum".

Mr Hunt said his initial analysis of the data, which has been dubbed Collection £1, found it had been compiled from more than 2,000 different data breaches and hacked databases or websites, confirming some of his own personal information had also appeared in the lists.

The database did not appear to contain any more sensitive information - such personal finance information and credit card details, he said.

Mr Hunt claimed his research on the list suggested around 140 million of the email addresses had not appeared in previous breaches and were therefore newly exposed details.

He warned the lists could be used by hackers to carry out "credential stuffing" attacks, where hackers take lists of usernames and passwords and enter them on a range of other platforms to try and force access to different user accounts.

"In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work," he said.

"The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

The security expert called on people to check the website Have I Been Pwned, a data breach monitoring website which can tell users if any email address they use has ever been compromised in a hack, and to change any passwords linked to exposed accounts.

"If you're reusing the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it's available," he said.

The database and its contents - though mostly a collection of data from other incidents - could be considered one of the largest data breaches ever, exceeding the 500 million accounts affected by a Marriott breach that was confirmed in December, but far less than the three billion accounts hit by a breach on Yahoo in 2013.

Additional reporting by Press Association

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments