Troy Hunt
show image

Collection #1 is the largest database of compromised login details ever seen

The largest ever database of breached login details has been leaked on the dark web, putting hundreds of millions of people at risk of fraud and hacking.

The database, known as Collection #1, was discovered by breach expert Troy Hunt and contains more than 770 million unique email addresses and 21 million unique passwords.

It is believed that a large portion of the data is from previously disclosed attacks and had already been made public. But Hunt said that around 140 million of the email addresses had not previously been disclosed.

“Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows,” he revealed in a blogpost. “It’s made up of many different individual data breaches from literally thousands of different sources.”

It is not clear why the database had been uploaded to dark web forums, but such a move would make it impossible for cyber criminals to sell it on.

Trevor Reschke, head of threat intelligence at Trusted Knight, said data breaches are usually made public “when a team has determined the value of the data is so low it not worth selling anymore – or – a couple of criminals are having a spat and one of them just released the unprotected product they were selling to the entire world eliminating the other criminals’ ability to make money off of it”.

“It is criminals we are talking about,” he added. “They don’t always think rationally, and this would be their only recourse in a deal gone bad.”

Cyber security experts urged web users to check Hunt’s Have I Been Pwned breach notification service to assess whether their data had been compromised.

“The same advice as ever stands,” said Ed Macnair, CEO of CensorNet. “Use unique passwords for different accounts and, for consumers, a password manager to help create and store those details.

He added: “Businesses should also have in place comprehensive security to prevent hacks, alongside additional authentication requirements so that an employee’s identity is guaranteed when they are logging into company resources. It really is about time this message sinks in.”