#MegaBreachAlert: Over 2 billion emails, passwords found on 'hacking' forum
In a shocking development, Troy Hunt from 'Have I Been Pwned' has found more than two billion emails and passwords online. The raw dataset, containing encrypted, unencrypted information, appears to have been collated from thousands of different breaches and sources. It was discovered on cloud service MEGA and is said to be the largest ever chunk of leaked data to go public. Here's more.
Insanely massive trove of data on hacking forum
Last week, Hunt's contacts directed him to an insanely massive trove of data containing 2.7 billion rows of emails and passwords, including over a billion unique combinations. The data, packed in a folder called Collection #1, was on MEGA and continued to exist on a 'popular' hacking forum. The 87GB folder had over 12,000 email-password files in different sub-folders, like 'EU combos, Shopping combos'.
Even after stripping out unusable bits, data volume stayed high
Even after Hunt's cleaning, the number of unique emails and unhashed, plain-text passwords in Collection #1 remained high. To put this into perspective, Hunt removed unusable bits, hashed passwords, and duplicates and still found nearly 773 million unique email addresses, over 21 million unique passwords.
But, how this information got leaked?
As Hunt emphasized in the post detailing this discovery, it is difficult to say for sure where all this information came from. The post on the hacking forum referenced "a collection of 2,000+ dehashed databases and Combos stored by topic," he said while suggesting that the information appears to have been collated from several different leaked databases - for hackers.
Here's what Hunt said on the leak
"It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers," Hunt told WIRED. "There's no obvious patterns, just maximum exposure."
Can hackers use this information?
The humongous trove of emails and passwords posted publicly can be used by hackers to conduct the so-called 'credit stuffing attacks'. As part of these attacks, they could throw in leaked email and password combinations at different sites or applications to gain access, Wired reported. The biggest risk from such an attack would be to those who use same email-password combinations across various sites.
How to know if you are affected?
Well, the scale of this breach is alarming and it is important to check if your information has been compromised in the incident. The process is very simple as you just have to visit Hunt's Have I Been Pwned website (https://haveibeenpwned.com) and enter your email. You can even enter your password on the site to see if it has been compromised or not.