Have I Been Pwned, the breach notification service, has just gotten its hands on its biggest data haul ever—a list that includes almost 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.
According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller lists taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed “Collection #1,” the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks. These attacks use automated scripts to inject credentials from one breached website into a different website in hopes the holders reused the same passwords.
The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.
About 663 million of the addresses have been listed in previous Have I Been Pwned notifications, meaning 140 million of the addresses have never been seen by the service before. Hunt said that some of his own credentials were included in Wednesday’s notification, although none were currently in use. Have I Been Pwned has now begun emailing more than 768,000 individuals who signed up for notifications and nearly 40,000 people who monitor domains.
“People will receive notifications or browse to the site and find themselves there and it will be one more little reminder about how our personal data is misused,” Hunt wrote. “If—like me—you’re in that list, people who are intent on breaking into your online accounts are circulating it between themselves and looking to take advantage of any shortcuts you may be taking with your online security.”
The most effective thing people can do to secure their online accounts is to ensure that each one is protected by a long, randomly generated password that’s unique to each account. For most people, this means using a reputable password manager. The second most important thing people can do is to use multi-factor authentication on every site that allows it.
