Collection #1 Repository Totals 87GB of Stolen Email Addresses & Passwords

  /     /     /  
Publicated : 23/11/2024   Category : security


Collection #1 Repository Totals 87GB of Stolen Email Addresses & Passwords


With the discovery of Collection #1, security researcher Troy Hunt appears to have found the largest repository of stolen email addresses and passwords ever, totaling more than 87GB and 12,000 separate files.



There are massive data breaches and then there is Collection #1.
On January 17, security researcher Troy Hunt, who runs the popular
Have I Been Pwned
website, detailed the discovery of 12,000 separate files that held more than 87GB of stolen personal data, which he dubbed Collection #1. The name comes from a root folder where the data had been stored.
These thousands of files, which were found on the New Zealand-based MEGA cloud hosting service, contained 772,904,991 unique email addresses, along with 21,222,975 passwords. If all the numbers pan out -- there are 1,160,253,228 unique combinations all together -- this is the largest collection of stolen personal data ever found.
What I can say is that my own personal data is in there and its accurate; right email address and a password I used many years ago, Hunt wrote in
Thursdays blog post
. Like many of you reading this, Ive been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.
A list of stolen passwords from a hacking forum

(Source:
Troy Hunt
)
Hunt noted much of the data was found on a hacking forum, where it was being socialized. Many of the passwords had been de-encrypted and converted to plain text.
It appears all this data was being used, or could be used, for credential stuffing attacks, a brute-force method used to guess passwords and further hijack other accounts using this personal information.
The discovery of this repository of stolen data is likely to respark debates about how passwords are used, how often users should change them and if theres any point anymore in using passwords to keep data secure. (See
Microsoft Looks to End the Era of Security Passwords
.)
Terence Jackson, CISO of
Thycotic
, a security vendor that provides privileged access management (PAM) tools, noted in an email that both individual consumers, as well as enterprises, should take notice of Collection #1 since so many people repeatedly re-use passwords.
This highlights the importance of password management and consumer education in that regard, Jackson told Security Now. He added:

Many people still use the same passwords across sites for personal and business purposes because its convenient until something like this happens and its back in the headlines. Using unique passwords on each site isnt a magic bullet, but the goal here is to limit the damage that could be done in a credential stuffing or brute force type attack. As a CISO, this type of attack would concern me because employees often use their corporate emails to sign up for services and often use the same passwords.

Although the data has been removed from MEGA, combinations of passwords and email addresses can still be in someone elses hands. Hunts site offers services where users can check to see if their passwords have been exposed.
In an email, Raj Samani, chief scientist at McAfee, urged anyone who thinks their email address or password may have been compromised to reset passwords and to look into using a password manager.
People need to act fast and defend themselves, Samani wrote. With such a high volume of personal data being discovered, nobody can assume they haven’t been caught up in this. Passwords need to be changed immediately. If you have the same password across any account, device or app you need to make every single one unique, strong and never re-use it again. A password manager is a great option if you want to do this quickly.
Related posts:
Phishing Emails, Trojans Continued to Proliferate in Q3 – Report
Citrix: Password Reset Necessary to Stop Credential Stuffing Attack
Quora Breach Hits 100M User Accounts Containing Highly Personal Data
HSBC Data Breach Shows Failure to Protect Passwords & Access Controls
— Scott Ferguson is the managing editor of Light Reading and the editor of
Security Now
. Follow him on Twitter
@sferguson_LR
.

Last News

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security

▸ 27 Million South Koreans Hit by Online Gaming Theft. ◂
Discovered: 23/12/2024
Category: security

▸ Homeland Security Background Checks Breach Raises Concerns. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Collection #1 Repository Totals 87GB of Stolen Email Addresses & Passwords