Some 773M email addresses have been exposed by hackers in what is the largest ever breach. Alongside the email addresses are 21M passwords …
Security professional and Microsoft Regional Director Troy Hunt said that the collection of email addresses and passwords comes from thousands of different sources, and the raw numbers were even higher before he started de-duping and cleaning up the data to find out what hackers had actually obtained.
Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources […]
In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don’t always neatly format their data dumps into an easily consumable fashion […]
The unique email addresses totalled 772,904,991 [and] 21,222,975 unique passwords.
Many of the passwords were encrypted, but using weak hashes which has enabled them to be cracked.
Hunt told Wired that although the individual hacks that generated the data were smaller, the aggregated data represents the largest volume ever seen.
“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”
That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.
The data has been loaded into Have I Been Pwned, so you can check whether it includes you by searching for your email address there.
If your email address is found, you should be extra vigilant for phishing attacks. Never click a login link in an email you weren’t expecting, even if it looks legitimate – always type a known valid URL yourself or use your own bookmarks.
The usual security advice also applies: always use strong, unique passwords for every website, and always opt for two-factor authentication when it is offered.