Nearly 773 million email addresses leaked, spelling trouble for people who re-use passwords
The numbers just seem to keep getting bigger.
Nearly 773 million email addresses and almost 22 million unique passwords were discovered on the cloud storage service MEGA, researcher Troy Hunt announced in a blog post Thursday. The 87-gigabyte database is spread across 12,000 files and appears to have originated from many different sources dating back to 2008, Hunt said.
Some 140 million email addresses and 10 million passwords are new to Hunt’s Have I Been Pwned website, the free service that tracks whether user credentials have been made available in data dumps. Users can enter their email address in the Have I Been Pwned service to check if their information was included.
The data, since removed, is known as Collection #1.
“What I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
Huge leaks of emails, passwords and other data are never far from the news these days. In November, personal information about 57 million Americans was found exposed on the open internet. In December, website Quora said hackers took data on 100 million users, and a Brazilian taxpayer database was found to have exposed 125 million records. Last year’s infamous Marriott breach affected a half-billion accounts.
Hunt said multiple people alerted him to the existence of Collection #1 last week.
The database gives scammers a valuable new tool to launch credential stuffing attacks. Those occur when hackers plug credential information leaked in prior data breaches into other sites, targeting users who re-use their username and password on multiple sites.
This, with its 140 million new email addresses, would be especially attractive to scammers.
“The success of this approach is predicated on the fact that people re-use the same credentials on multiple services,” Hunt wrote. “Perhaps your personal data is on this list because you sign up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”