Security Researchers Discover a Data Dump That Exposed 21M Passwords and 773M Email Addresses
Troy Hunt is an Australian security specialist who runs Have I Been Pwned – the largest, most comprehensive data breach notification service currently in existence. His job is, among other things, to collect emails and passwords that have been stolen during hacking incidents, notify his subscribers if they're affected, and let everyone see if their login credentials have been exposed.
On Sunday, he posted a tweet that caused a bit of a stir among the infosec community.
You know a data breach is big when... pic.twitter.com/rtWMdq0Cpt
— Troy Hunt (@troyhunt) January 13, 2019
For those of you who don't know what he's on about, the screenshot shows that he was processing a large data dump and was trying to figure out how many records were in it. The error stated that the number was too large to be converted into a signed 32-bit integer. In other words, it was larger than 2,147,483,647. The data dump, it later turned out, contained a total of 2,692,818,238 records.
More than 770 million unique emails addresses were exposed
That, thankfully, is not the number of people or even email accounts that are affected. As Hunt notes in his blog post, hackers rarely go through the trouble of organizing their data dumps in an easy-to-use fashion. After tidying up, he ended up with just under 773 million unique email addresses. It's nowhere near 2.7 billion, but it's still a substantial number. In fact, it's the biggest number of email addresses Troy Hunt has ever loaded in Have I Been Pwned at once. There were a few passwords as well.
More than 20 million unique passwords were exposed
Email addresses on their own aren't very useful. When they're combined with a password, however, things become quite a lot more dangerous. The database Troy Hunt was looking at contained more than 21 million unique passwords. This number doesn't include the passwords that looked like SQL statements and the ones that were in hashed format. These are just the plaintext passwords.
Why does this data dump exist?
It's not until you delve into the details that you understand just how much work Troy Hunt has done to get all that data organized in a searchable format. The whole dump consisted of more than 2 thousand separate files weighing in at over 87 GB. Hunt posted the names of the files on Pastebin, and once you go over them, you'll see that, perhaps not surprisingly, the usernames and passwords didn't come from a single data breach.
In fact, it looks like almost every file stands for a separate incident involving various online services from all over the world. And someone has taken the time to put all these breaches together in one big dump.
They did it because a large database like this is exactly what you need if you want to organize a large-scale, successful credential stuffing attack. A credential stuffing attack means trying username and password pairs stolen from one website against a number of others. Because so many people reuse the same password all over the internet, credential stuffing attacks tend to be quite successful. In fact, this is one of the biggest threats users face at the moment, and it's a good reason to reconsider your password management habits.
The scary bit
Credential stuffing is a big problem not just because people reuse passwords. The attack is also extremely easy to pull off. As Troy Hunt mentioned, all you need is an automated tool and a data dump of usernames and passwords to launch an attack. And these are surprisingly easy to get by.
Getting the automated credential stuffing tools is a matter of running through a few hacking forums, and there are even demo videos on YouTube telling you how to use them. What's more, the database Hunt loaded in Have I Been Pwned wasn't hosted in the darkest corners of the dark web. He downloaded it from cloud hosting platform MEGA, and the link to it was "published to a well-known public forum". All anyone needed to get it was an internet connection. Do you want to know the really scary part?
The database was named "Collection #1".