Skip to main content

Massive data dump exposes 770 million email addresses and 21 million passwords

Have you changed your passwords lately? Perhaps you should, or better yet, consider using a password manager. That's the advice of security researcher Troy Hunt who recently spied the largest-ever collection of compromised accounts.

"Last week, multiple people reached out and directed me to a large collection of files on the popular cloud service, MEGA (the data has since been removed from the service). The collection totaled over 12,000 separate files and more than 87GB of data. One of my contacts pointed me to a popular hacking forum where the data was being socialized," Hunt stated in a blog post.

Hunt took it upon himself to sort through nearly 2.7 billion rows of email addresses and passwords, which included "some junk because hackers...don't always neatly format their data dumps into an easily consumable fashion." Nevertheless, he found a staggering number of unique email addresses—nearly 773 million of them, along with over 21 million unique passwords.

To be clear, this is not the result of a single data breach. The collection of data comprises "many different individual data breaches from literally thousands of different sources." Nefarious data dumps are not uncommon, sadly, but never before has anyone seen one as massive as what Hunt has labeled "Collection #1."

It's likely that not all of the data is accurate, and much of it might even be outdated. Hunt says the process of verifying data breaches is "often a non-trivial exercise." However, he also said he recognized many breaches in that list that he knows to be legitimate, including ones containing his own personal data.

"What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public," Hunt said.

Hunt runs the "have i been pwned?" website where users can input their email address to see if it is known to have been compromised, and if so, in which data breach(es). The site doesn't store any passwords, though he has added a similar tool that lets you input a password to see if it too has been compromised.

Hunt's big takeaway from all this is that it reinforces the notion that people should be using a password manager.

"You have too many passwords to remember, you know they're not meant to be predictable and you also know they're not meant to be reused across different services. If you're in this breach and not already using a dedicated password manager, the best thing you can do right now is go out and get one," Hunt added.

Hunt himself uses 1Password, though there are other options, notably LastPass. Barring a password manager, Hunt recommends going old school and writing down passwords in a notebook.

"It might be contrary to traditional thinking, but writing unique passwords down in a book and keeping them inside your physically locked house is a damn sight better than reusing the same one all over the web," Hunt said.