Over a billion email and password combos leaked in data breach

Published on: 25 Jan 2019

Hundreds of millions of people around the world may have had their email addresses exposed to cybercriminals after a huge trove of records was discovered being shared on a hackers forum.

The list features over a billion email address and password combinations, which include  772,904,991 unique email addresses and 21,222,975 unique passwords. In total, the cache, known as Collection-1, contains 12,000 files and 87GB of data.

Security researcher Troy Hunt, who first reported the list, explained that rather than being from a single source, the database claims to have been compiled from over 2,000 separate data breaches.

The list appears to be intended for use in 'credential stuffing' hacks, a form of brute force attack in which criminals test out many email and password combinations against a service until they find a valid login.

It could particularly affect people who have been reusing the same passwords across multiple sites, as it is easy for hackers to acquire details from less secure sources and try them elsewhere.

"It just looks like a completely random collection of sites purely to maximise the number of credentials available to hackers," Mr Hunt told Wired. "There’s no obvious patterns, just maximum exposure."