A cyber security researcher has discovered the largest ever collection of leaked data, an 87GB package of 12,000 files, including more than 772 million email addresses and 21 million passwords.
Troy Hunt, who runs the Have I Been Pwned website, found the trove after he was informed by contacts that it had been dumped on cloud service MEGA – which has since removed the data – and on a popular hacking forum.
He said that the data was a combination of a numerous different data breaches, which had been assembled to use for credential stuffing, a cyber attack that automatically tests combinations of email addresses and passwords to hijack accounts on other services. He dubbed the data dump “Collection #1″.
“This particular set of stolen data seems to come from nearly 3,000 different websites from all over the globe,” said Dan Pitman, principal security architect at Alert Logic. “In this day and age, everyone needs to make the assumption that their email is in a list that attackers have access to; unless you created it today, probably,”
“Hackers use these lists for many purposes from credential stuffing to identity theft. For the latter, the more data they have the more likely they can match details together from different lists to build up a profile.
“The more cracked passwords in their database, the more likely they are to be able to match those to the hashes from other hacks and find a combination that works to access a system, this is the essentials of credential stuffing.”