Hundreds of millions of email addresses exposed in data breach

Image credit: iStockphoto/Matej Moderc
A security researcher has uncovered a trove of over a billion combinations of email addresses and passwords being shared on a hacker's forum.

More than 770 million email addresses, as well as millions of passwords, have been leaked online after being posted to a hacker's forum.

The trove of data, known as Collection-1, does not come from a single source, but rather appears to be a collated database that includes credentials pulled from multiple previous breaches.

It was first reported by security researcher Troy Hunt, who said that in total, there were over a billion unique combinations of addresses and passwords in the document, which included 772,904,991 unique email addresses and 21,222,975 unique passwords.

He told Wired that there is no obvious pattern to the data, which claims to have been drawn from more than 2,000 breached databases, but rather the goal is to generate the most potential for hackers using brute force attacks.

"It just looks like a completely random collection of sites purely to maximise the number of credentials available to hackers," he said. 

The list appears to have been intended for use in 'credential stuffing' attacks, where hackers use automated programs to test out many email and passwords on a service until they find a valid login combination. 

People who reuse the same email and password combinations across multiple sites are particularly vulnerable to this type of attack, as it may only take one service suffering a data breach to potentially expose many of their logins.

In many cases, individuals may not realise how easy it can be to access such gain access to older credentials and reuse them.

"Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem," Mr Hunt said.

He also noted it is concerning that there are so many plain text passwords included in the database, which suggests many businesses are still not doing enough to protect the sensitive data they have on customers by undertaking basic measures such as password hashes, which ensures that even if databases are breached, hackers will find it very difficult to use any password data they acquire.

We can help your business! Contact Arrow Now

About Us

With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.

Contact Form