Huge data breach reveals hundreds of millions of emails and passwords from across the internet

Logins were made easily available for anyone to download

Andrew Griffin
Thursday 17 January 2019 05:41 EST
Comments
Huge data breach reveals hundreds of millions of emails and passwords from across the internet

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hundreds of millions of email addresses and passwords have been posted online for anyone to download.

Nearly 800 million logins are in the huge dump which contains information from thousands of data breaches.

The stolen details are likely to be in use for years as hackers attempt to take over affected users accounts.

Cybersecurity expert Troy Hunt said a list of more than 2.6 billion records containing around 773 million unique email addresses and more than 21 million unique passwords was being shared on a "popular hacking forum".

Mr Hunt said his initial analysis of the data, which has been dubbed Collection £1, found it had been compiled from more than 2,000 different data breaches and hacked databases or websites, confirming some of his own personal information had also appeared in the lists.

The database did not appear to contain any more sensitive information - such personal finance information and credit card details, he said.

Mr Hunt claimed his research on the list suggested around 140 million of the email addresses had not appeared in previous breaches and were therefore newly exposed details.

He warned the lists could be used by hackers to carry out "credential stuffing" attacks, where hackers take lists of usernames and passwords and enter them on a range of other platforms to try and force access to different user accounts.

"In other words, people take lists like these that contain our email addresses and passwords then they attempt to see where else they work," he said.

"The success of this approach is predicated on the fact that people reuse the same credentials on multiple services. Perhaps your personal data is on this list because you signed up to a forum many years ago you've long since forgotten about, but because its subsequently been breached and you've been using that same password all over the place, you've got a serious problem."

The security expert called on people to check the website Have I Been Pwned, a data breach monitoring website which can tell users if any email address they use has ever been compromised in a hack, and to change any passwords linked to exposed accounts.

"If you're reusing the same password(s) across services, go and get a password manager and start using strong, unique ones across all accounts. Also turn on 2-factor authentication wherever it's available," he said.

The database and its contents - though mostly a collection of data from other incidents - could be considered one of the largest data breaches ever, exceeding the 500 million accounts affected by a Marriott breach that was confirmed in December, but far less than the three billion accounts hit by a breach on Yahoo in 2013.

Additional reporting by Press Association

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in