Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

1/17/2019
03:26 PM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

'Collection #1' Repository Totals 87GB of Stolen Email Addresses & Passwords

With the discovery of 'Collection #1,' security researcher Troy Hunt appears to have found the largest repository of stolen email addresses and passwords ever, totaling more than 87GB and 12,000 separate files.

There are massive data breaches and then there is "Collection #1."

On January 17, security researcher Troy Hunt, who runs the popular Have I Been Pwned website, detailed the discovery of 12,000 separate files that held more than 87GB of stolen personal data, which he dubbed Collection #1. The name comes from a root folder where the data had been stored.

These thousands of files, which were found on the New Zealand-based MEGA cloud hosting service, contained 772,904,991 unique email addresses, along with 21,222,975 passwords. If all the numbers pan out -- there are 1,160,253,228 unique combinations all together -- this is the largest collection of stolen personal data ever found.

"What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote in Thursday's blog post. "Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public."

Hunt noted much of the data was found on a hacking forum, where it was being socialized. Many of the passwords had been de-encrypted and converted to plain text.

It appears all this data was being used, or could be used, for credential stuffing attacks, a brute-force method used to guess passwords and further hijack other accounts using this personal information.

The discovery of this repository of stolen data is likely to respark debates about how passwords are used, how often users should change them and if there's any point anymore in using passwords to keep data secure. (See Microsoft Looks to End the Era of Security Passwords.)

Terence Jackson, CISO of Thycotic, a security vendor that provides privileged access management (PAM) tools, noted in an email that both individual consumers, as well as enterprises, should take notice of Collection #1 since so many people repeatedly re-use passwords.

"This highlights the importance of password management and consumer education in that regard," Jackson told Security Now. He added:

Many people still use the same passwords across sites for personal and business purposes because it's convenient until something like this happens and it's back in the headlines. Using unique passwords on each site isn't a magic bullet, but the goal here is to limit the damage that could be done in a credential stuffing or brute force type attack. As a CISO, this type of attack would concern me because employees often use their corporate emails to sign up for services and often use the same passwords.

Although the data has been removed from MEGA, combinations of passwords and email addresses can still be in someone else's hands. Hunt's site offers services where users can check to see if their passwords have been exposed.

In an email, Raj Samani, chief scientist at McAfee, urged anyone who thinks their email address or password may have been compromised to reset passwords and to look into using a password manager.

"People need to act fast and defend themselves," Samani wrote. "With such a high volume of personal data being discovered, nobody can assume they haven’t been caught up in this. Passwords need to be changed immediately. If you have the same password across any account, device or app you need to make every single one unique, strong and never re-use it again. A password manager is a great option if you want to do this quickly."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...