Monster 773 million-record breach list contains plaintext passwords

Widely circulated “Collection #1” was used in automated credential stuffing attacks.

Enlarge (credit: Getty Images)

Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever—a list that includes almost 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.

According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller lists taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed "Collection #1," the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks. These attacks use automated scripts to inject credentials from one breached website into a different website in hopes the holders reused the same passwords.

The 773 million email addresses and 21 million passwords easily beat Have I Been Pwned’s previous record breach notification that contained 711 million records. But there are other things that make this latest installment stand out. In all, it contains 1.16 billion email-password combinations. That means that the list covers the same people multiple times, but in many cases with different passwords. Also significant: the list—contained in 12,000 separate files that take up more than 87 gigabytes of disk space—has 2.69 billion rows, many of which contain duplicate entries that Hunt had to clean up.

Read 6 remaining paragraphs | Comments

Mozilla’s Firefox Monitor will now alert you when one of your accounts was hacked

Earlier this year, Mozilla announced Firefox Monitor, a service that tells you if your online accounts were hacked in a recent data breach. All you have to give it is your email address and it’ll use the Have I Been Pwned database to show you if you need to worry and what data was compromised. Today, […]

Earlier this year, Mozilla announced Firefox Monitor, a service that tells you if your online accounts were hacked in a recent data breach. All you have to give it is your email address and it’ll use the Have I Been Pwned database to show you if you need to worry and what data was compromised. Today, Mozilla is taking this a step further by also letting you sign up for alerts for when your accounts appear in any (known) breaches in the future.

When it first launched, Mozilla considered Firefox Monitor an experimental service. Now, it’s being launched as an official service.

If none of your accounts have been hacked yet, consider yourself lucky. That still makes you the perfect user for Firefox Monitor’s new alerting feature, though, because chances are your email address will show up in a future breach sooner or later. Indeed, when Mozilla first asked people about which features they most wanted from a service like this, notifications about future breaches were very high on most people’s list.

Mozilla notes that Firefox Monitor is just one of a number of new data and privacy features the organization has on its roadmap for the next few months. It’s clear that Mozilla is positioning itself as a neutral force and overall, that seems to be going quite well, especially given that Google’s Chrome browser is facing a bit of a backlash these days as users are increasingly concerned about their privacy and the vast trove of data Google collects.