773 million records with emails & plain text passwords leaked online

773 million records with emails & plain text passwords leaked online
Screenshot shows data is available on MEGA (Credit: HIBP)

It’s a whopping 87GB data – Find out if you are affected by the massive data breach.

Security researcher and founder of Have I Been Pwned, Troy Hunt, has revealed that around 773 million ‘unique’ email IDs and 22 million ‘unique’ passwords were available on MEGA cloud service. Later on, the same data was found posted on a famous hacking forum which indicates that hackers have already downloaded their copy.

See: Here is a list of top 25 worst passwords of 2018

In his blog post, Hunt wrote that there are nearly 12,000 separate files and over 87GB of data stored in the database dubbed Collection #1. Hunt has uploaded the email IDs on his site, which totaled around 772,904,991 files and 2,692,818,238 rows.

773 million records with emails & plain text passwords leaked online
Credit: HIBP

The hackers can use this data to compromise numerous services on different websites through credential stuffing attacks. They can also use bots to test countless email IDs and password combos automatically on a wide range of login pages on various sites.

The concerning part of this incident is that the hacker has already cracked the hashing on the stolen passwords and hence, they are easy to use now since they are dehashed, that is, available in plain text. It is worth noting that the passwords weren’t cryptographically hashed at the time of hacking.

Hunt wrote in his blog post that Collection #1 contains accurate personal data including his own credentials.

“Right email address and a password I used many years ago. In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see,” wrote Hunt.

773 million records with emails & plain text passwords leaked online
The screenshot shows data is available on MEGA (Credit: HIBP)

Another concerning aspect is that this is another massive data breach and quite different from Yahoo or even Equifax because the credentials aren’t limited to any particular website. Hackers have managed to collect data from multiple services including 2,000 databases. Hence this is the “single largest breach ever to be loaded into HIBP,” claims Hunt in his blog.

See: Unprotected MongoDB leaks resumes of 202M Chinese job seekers

If you are one of the 2.2 million affected people and use the Have I Been Pwned website, you should have received a notification already because around half of the site’s users (roughly 768,000) are affected by this data breach. If you don’t use the website and want to know if your email ID is part of the breach, just visit the site and type in your email ID and search.

If your email ID is part of this or any other data breach you will know right then and there. To confirm if your password is safe or compromised, check it separately on Pwned Passwords, which is another feature that the website offers.

Related Posts