Skip to main content

PSA: 773M email addresses and 21M passwords exposed by hackers, check yours here

Some 773M email addresses have been exposed by hackers in what is the largest ever breach. Alongside the email addresses are 21M passwords …

Security professional and Microsoft Regional Director Troy Hunt said that the collection of email addresses and passwords comes from thousands of different sources, and the raw numbers were even higher before he started de-duping and cleaning up the data to find out what hackers had actually obtained.

Let’s start with the raw numbers because that’s the headline, then I’ll drill down into where it’s from and what it’s composed of. Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources […]

In total, there are 1,160,253,228 unique combinations of email addresses and passwords. This is when treating the password as case sensitive but the email address as not case sensitive. This also includes some junk because hackers being hackers, they don’t always neatly format their data dumps into an easily consumable fashion […]

The unique email addresses totalled 772,904,991 [and] 21,222,975 unique passwords.

Many of the passwords were encrypted, but using weak hashes which has enabled them to be cracked.

Hunt told Wired that although the individual hacks that generated the data were smaller, the aggregated data represents the largest volume ever seen.

“It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers,” Hunt tells WIRED. “There’s no obvious patterns, just maximum exposure.”

That sort of Voltron breach has happened before, but never on this scale. In fact, not only is this the largest breach to become public, it’s second only to Yahoo’s pair of incidents—which affected 1 billion and 3 billion users, respectively—in size. Fortunately, the stolen Yahoo data hasn’t surfaced. Yet.

The data has been loaded into Have I Been Pwned, so you can check whether it includes you by searching for your email address there.

If your email address is found, you should be extra vigilant for phishing attacks. Never click a login link in an email you weren’t expecting, even if it looks legitimate – always type a known valid URL yourself or use your own bookmarks.

The usual security advice also applies: always use strong, unique passwords for every website, and always opt for two-factor authentication when it is offered.

Photo: Shutterstock


Check out 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications