January 17, 2019

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

The 87GB “Collection1” archive is one of but many similar tranches of stolen passwords being sold by a particularly prolific ne’er-do-well in the underground.

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Sanixer says Collection #1 was from a mix of sources. A description of those sources can be seen in the directory tree on the left side of this screenshot.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).

For most of us, by far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

Your email account may be worth far more than you imagine.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes far more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to 2fa.directory and see if you are taking full advantage of multi-factor authentication at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device or security key.


67 thoughts on “773M Password ‘Megabreach’ is Years Old

  1. Andrew Rossetti

    Thank you for the sanity Brian! I’ve been pulling my hair out today reading these reports and screaming at my monitor “IT’S NOT A NEW BREACH”! The initial report stated that very clearly, but I guess writers figure they’ll get more clicks if they sensationalize it.

    1. Kathleen Jacksville

      Scary, how many information were breached. My email was found in three instances of data breach. Reading though another forum, found that someone using the acronym datasiph0n is publishing the data breach databases online https://shoppy.gg/product/jWCDeeJ

  2. The Sunshine State

    The fun never ends !

    Breach: Collection #1
    Date of breach: 7 Jan 2019
    Accounts found: 772,904,991
    Your accounts: 9
    Compromised data: Email addresses, Passwords

  3. ConArtistAware

    TROY HUNT IS A FRAUD

    he gets this data for free from a script kiddy. runs it as new and massive breach to drum up donations and fame. he is now skiing in some Alps while security teams are scrambling to help their company protect users and executives.

    Troy dumping the dump and bragging of now on holiday: https://twitter.com/troyhunt/status>/1085847781879603200

    Troy passively asking for donations for his “good-boy” work: https://twitter.com/troyhunt/status/1085851191022518272

    1. ConArtistAwareSpoof

      If you looked at his tweets, he’s asking for donations because ingesting billions of records into a database is expensive

      https://twitter.com/troyhunt/status/1085095504197779456

      (According to google, that’s about $15,000 USD)

      Troy does MANY things, one of which is offering an entirely free service which notifies countless people when there’s another instance of their data being found on the internet.

      Also, there’s nothing wrong with going on a vacation, especially when Scott Helme responded saying they’re going to Norway for a conference – https://ndc-security.com/

      1. Matthias

        Troy has partnered with 1Password. HIBP must be a fantastic vector for 1Password to acquire new users, so I assume they cover all the site costs, and more.

      2. Dave Howe

        Shouldn’t be THAT expensive – you can just throw it into an amazon bucket, then run Athena against it. its not like the queries you run will be complex….

  4. Catwhisperer

    On the Ars Technica website, where I came onto the breach related in this article, they gave two useful website links:

    https://haveibeenpwned.com and https://haveibeenpwned.com/Passwords

    Though I found every single email address I’ve ever used on the pwned email side of things, I didn’t find a single password that is currently being used. My belief is that the reason for that lack is the use of Diceware for over a decade, and never reusing passwords…

    1. mar77i

      I don’t understand why people hand over their passwords to such a service, though. Why not put it on twitter directly…?

      1. Part7j

        Excpet the little tiny detail that the site is not actually getting the password.

          1. Nathan

            No it isn’t. It’s sending the first 5 chars of a SHA1 hash of your password, and returning the hits for you to look at and see if your password matches, client side.

            Go read up on it, it’s clever.

          2. junior

            If you search a little and try to understand, you’ll see that your password is never sent to the site’s server.

          3. Merlino

            Except it isn’t. It’s gets the first 5 characters of the SHA-1 hash of your password.

  5. Dennis

    Hah, Russians again!? Can they do anything other than stealing and hacking democratic elections? (I know, a rhetorical question.)

    1. bex

      They Don’t just Hack and steal but They are also on Step or few steps ahead, They Know exacly When and what People who are ln this They Know its all organized by Secret Service. no doubt about it.

  6. PDCLarry

    Troy Hunt’s site lets you check whether a user ID or password has been “pwned” as he calls it. I checked a few of my passwords (I’ve checked user IDs there before) and I was surprised to see that a couple of my strong random passwords were on the list. So clearly just having good passwords is not sufficient.

    1. timeless

      There’s a great description of how to secure a computer / data, stick it in a locked box and sink it in the bottom of the ocean.

      Your problem is that your password was given to some service so they could use it to authenticate you. And they were hacked.

      Now, just how well they hashed your password may vary, but it’s very easy to get hashing wrong.
      One could:
      (a) not do it at all
      (b) encrypt instead of hashing
      (c) not salt
      (d) not use a strong enough hashing function
      (e) not use enough rounds of hashing
      (f) fail to destroy older versions/backups of their database

  7. Sam

    Sanixer is running a btc scam. May want to be careful. He will block you off discord after btc transfer

    1. SteamCardGuy

      Too late, he scammed me already with 2 50 euro Steam gift cards and I tried everything but he blocked me
      100 euro scam

  8. vb

    I disagree with this: “A core reason so many accounts get compromised is … poor passwords, re-using … across multiple sites.”

    You might blame the user, but I blame the numerous website admins that allow the entire password database to get hacked. Those web “professionals” are to blame for lacking good password encryption, hashing, and salting. The users are to blame a little, but the admins are to blame a whole lot more.

    I agree with your suggestion of long, unique, passphrases over gibberish. Far too many websites suggest gibberish. But good or not, it will still get pawned if the website it’s used on is run by an incompetent person.

    1. BrianKrebs Post author

      Look, everyone gets hacked. It’s why last month I wrote the following:

      “Reality #1: Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

      Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.”

      At least when people pick unique passwords, a site compromise can’t lead to compromise at other accounts. That’s the whole point.

      1. DatabaseMX

        It would seem that … two factor authentication is at least a step in the right direction ?

      2. Al Pinto

        I don’t disagree with you, your posting is basic security 101, but…

        The lack of authentication servers’ security is the main culprit for data breaches. Instead of securing these servers, the end users need to go through loops to authenticate themselves to the servers.

        There has been number of events, where the hackers circumvented 2FA authentication already, and I foresee that there will be more and more of these type of events. Granted, the end user’s device played a role in some of the 2FA hacks.

        Without securing devices on both the client and server end of the communication, data breaches will continue. Except sometimes in the near term, it isn’t going to be stolen password, instead, it’ll be fingerprint.

      3. Techiesavage

        I would like to know if you can sue someone for stealing your identity? I actually have a security warning from Google that someone Russia, tried log into my account. Yup, not kidding. Wish I had been. But I’m lucky they didn’t get in. Google blocked the IP address.

  9. Russ E

    Fingerprint authentication seems to work fine or us that also an area which can be eventually hacked as well?

    1. Al Pinto

      That depends on the authentication server and how it stores the fingerprint. The fingerprint is just a file on the server and if the file is in plain text, you are SoL. The authentication server has no way knowing, if you are authenticating, or the hacker who has your fingerprint file does.

      The type of authentication server, while matters, the security of the server that matters the most. For this reason, changing the authentication type does not matter much, if the server is not secure. Sooner or later, someone will steal the credentials…

      1. JCitizen

        The first time I heard of fingerprint authentication, that is exactly what I though about it. The data is just that, nothing about the file is particularly more secure just because it describes a fingerprint in digital format. However the BAD thing about it, is you can NEVER change the fact that you fingerprint data is out there forever, and you can’t get rid of it. You could always move to a different digit until all 10 of them are compromised, but who needs that kind of danger??!! I will never use this kind of technology until an enforcement structure is required by regulation in the technique of encrypting of personal biometric ID information!

        1. Joe

          I only recommend biometrics as a factor, when under human security guard supervision. It really ups the risk an attacker must accept to spoof a biometric.

    2. Dave

      Totally agree with Al Pinto. It’s the servers that can’t be trusted. It is a matter of time before they get breached and the files containing your biometric data are leaked. A password can be changed, your face/fingerprints can not.

    3. Dan

      You can update a password but you can only update your fingerprint ten times…

      1. timeless

        Well, you could try a toe-print…

        But, seriously, any static identifier is really a stupid idea.

        Anything that can be recorded can be replicated.

  10. Jim

    Agreed with Brian. Good job, good article. And a good rehash.
    Here’s my addition. Not everything belongs on a network. You bank numbers, your private musings, the design of your latest wigit, your pacemaker controls? Which things would you have there? But not everyone agrees. So, someone’s training is never current on how it works, or the newest baddie. But the basic concepts of security are, there are bad guys out there who want your information. And, how do you stop them from getting your information. Such as, not everyone is the class leader. But they are expected to be trained as such. Is it possible they missed the necessary class on that subject or were just good on that test?
    And your security training should have included “why are you doing that” , is it necessary? Do they need that information, really? Why? And, what will the disclosure do to you? So, should we go back and revisit the security classes we should have had?

  11. Dave

    I don’t like the use of biometrics for 2FA until we are sure that the data is stored securely (good encryption), like Al Pinto mentioned above. You can change a password, but you can’t change your face, fingerprints, or other bio data. I think biometrics is opening a whole new area of identity theft. I won’t use it.

  12. Kary

    My main complain about most the stories on this is they make it sound like the data is of passwords for email accounts. It’s actually data of passwords for accounts where the login name is an email address. So unless you used the same password for such a site and your email . . ..

  13. Jimbo

    My parents still use an email account from the early 2000’s with the domain @sbcglobal.net which is shocking. It didn’t occur to me until the wave of breaches this year that this email account was most definitely out there. I cautioned them to just create a new account, but my parents are luddites and claim they have too much important stuff on there.

    This week, my mother recieved a phishing email demanding a ransom of $47 in BTC. That was the final straw for me. Additionally, a quick haveibeenpwnd search shows the email is included in this recent “collection 1”.

    For those out there who also have stubborn parents – how do you express the gravity (financial & otherwise) of computer privacy to them? I can’t simply delete their email account and make them a new one.

    1. Soy Tenley

      sbcglobal.net was handled by Yahoo, through the SBC absorbtion of AT&T and rebranding to AT&T, until Verizon bought Yahoo. AT&T then got email servers set up for all new consumer accounts. That means their email was compromised a long time ago along with the other Yahoo accounts the hackers got into.

      I would get a new PC (Windows, Mac, Chromebook) and set it up with a new email address or two, and this way there is a physical separation aiding in the psychological separation of new email address from old email address.

      Then existing accounts need to be updated with the new email address, and possibly any two-factor authentication required. This migration will take a while.

      ” … claim they have too much important stuff on there.”

      Tell your parents no email provider guarantees they will keep old emails forever and ever, and your parents will need to archive their old emails somehow.

      If possible, download the entire email account for access offline. Additionally, each important email should be copied into a file and/or printed and filed.

      See if the rest of the emails can be forwarded to yet another email address also accessible on the second computer. These emails are most likely sentimental. Remind them they cannot keep everything.

      Eventually you will be able to delete all the emails on their old account, after which the old email account can be ignored. If the old email account is part of their ISP services, it is best not to delete the account name because someone else might get it.

    2. timeless

      If SBC is yahoo, it’s probably not the worst thing.

      Really, the most important things are:
      1. Get a password manager.
      2. Replace all passwords w/ randomly generated passwords stored in the password manager (possibly w/ a strong correct battery horse staple [1] password).
      3. Set up 2FA [2] for all important accounts.

      Some of this is covered by Brian in his security keys article [3].

      The best way to get people to understand the risk is to have them read Brian’s articles, esp The Value of a Hacked Email Account [4].

      The Herculean task here is figuring out all of your parents’ accounts in order to update their passwords. But, note: doing this is good hygiene.

      [1] https://xkcd.com/936/
      [2] https://twofactorauth.org
      [3] https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
      [4] https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

  14. Richard Steven Hack

    I reuse passwords all the time – for sites where I don’t care if it gets compromised. For sites like my bank and email I don’t use such passwords. My bank doesn’t even use an email as part of the access procedure although they do have it in order to send me notifications about my bank statement availability.

    So when the Have I Been Pwned site tells me my spam collection email has been used at three compromised sites and my main email has been used at three compromised sites, the main useful information is the actual sites listed. One was MySpace, which gives you an idea how old that access was – so who cares?

    So the value of my password to me at most sites is probably little more than the .000002 cents cited.

    The problem with site breaches is more than password reuse. It’s that those sites had cruddy password encryption protection. It’s KNOWN how to protect a password file with encryption that isn’t going to be broken for a hundred years even if you have access to a supercomputer or thousands of GPU processors in a server farm.

    The problem is that sites don’t do it because it’s a performance and thus cost issue. Many (most?) sites are still using simple unsalted hashing algorithms to “protect” their passwords.

    Using a password manager is mostly a waste of time and usually involves a fair amount of complexity especially for less technically inclined users. It’s far simpler to use a single more or less simple password at sites where it doesn’t matter and use multiple serious passwords at sites where it does matter. This actually helps password security because it makes it simple to manage it as only a few serious passwords need to be managed for a few sites.

    Device access passwords of course should be very serious. That includes the home and work computers and phones and any other device which is on a network. And all such devices should never have bank account or other serious personal data stored on them at all – such info should be offline.

    1. Gunnar

      This is much better advice than anything I’ve read so far. Not because it’s more secure but because the other advice is not actionable for the average user. Requiring Strong passwords for everything just make it that much more likely users will implement poor practices, when the actual problem tends to be in databases getting compromised.

    2. Joe

      I disagree with this, and think it’s bad advice.

      One of the biggest problems is people (enterprises and individuals)… don’t know WHERE their sensitive data resides.
      The average user doesn’t know enough about personal data privacy to understand what sites should or should not be considered important to protect. Ask most laymen, and they will agree about their bank account, but say they don’t care about social media or other accounts.

      So an attackers still love to compromise accounts that the user doesn’t “care” about. It still contains enough Personal Information to craft phishing emails, answer security questions, or social engineer friends, family and service providers.
      It’s the little information that people don’t know about, don’t know where it’s stored, and think its not worth protecting… that will get them.

      Password Managers should be used everywhere possible. It is far easier to get average people to form a good and consistent habit, than to give them the opportunity (rope) to decide what may or may not be important.
      Also, a “few serious passwords”, still need to avoid using all the things that make it easy for the user to remember. The easier it is for the user, the easier it is to crack…. especially once an attacker has gotten an idea on how the user thinks about passwords, you know, from all the “unimportant accounts” that were easily breached.

  15. Larry Burk

    Regarding these sites or others like them: https://haveibeenpwned.com and https://haveibeenpwned.com/Passwords. If you are submitting current email names and passwords, why is it assumed that someone connected with those sites or a man in the middle somewhere is not accumulating them for yet another collection? I’ll admit to being somewhat paranoid after reading BK’s stuff for many years.

    1. Kathy S.

      Yes, I was wondering this too. On this whole issue, paranoia seems justified as a self-protection practice.

    2. timeless

      Being skeptical is good.

      Troy Hunt [1] is a reputable security researcher. If you’re concerned (and you should be), then you can research him before you do anything.

      As for the risk of entering an email address (which is a public identifier) into a website [2], there really isn’t much. If your address is public, you’re already receiving spam, worse case, you get a bit more?

      wrt entering passwords [3]. You probably shouldn’t. You could enter a “burned” password to get a sense of “how burned” it is. There’s no particular harm in this. You can try using “password123” — “This password has been seen 116,847 times before”.

      If you like, you can also download the password list (the web page gives links). Note: the list isn’t to passwords, just (moderately weak) hashes.

      What you can do is find a _trusted_ client that implements K-anonymity [4] and have it talk to the passwords API [5].

      Note: this just shifts the task from deciding if Troy Hunt [1] is trustworthy to deciding if the password client is trustworthy. You could choose an open source one* and audit the code yourself and build it yourself if you like.

      [1] https://www.troyhunt.com/
      [2] https://haveibeenpwned.com
      [3] https://haveibeenpwned.com/passwords
      [4] https://en.wikipedia.org/wiki/K-anonymity
      [5] https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

      * disclaimer: I’ve contributed to at least one password manager which may or may not have implemented this feature, hopefully it will at some point.

  16. Really tho

    Terrible OpSec, screenshot gave away his PC name and his TZ.

  17. WhatAbout

    What about collection 2-5, what are they worth ? Are they a big deal ?

  18. Bradley Cooper

    If the data was in any way valuable it would not be compiled on a cloud in this manner and sold for any only $45 for a terabyte.

    Troy provides a valuable service but he needs to pull his head in a bit. He lives a lavish lifestyle in a millionaire’s paradise, but he begs for money and provides duplicitous screenshots about the cost of uploading the data ($21000 apparently!) then only revealing the true cost (“a few hundred”) when questioned by people. Yes Troy we know about scaling, but clearly he’s hoping not all his followers do.

    But hey every time he does this he gets huge exposure, even as his website’s scary numbers (5 billion records!) is inscreasingly made up of doubles of the same mega breaches from 2012.

    It’s a good business being Troy.

  19. John Broadbent

    People say to freeze your card accounts but if I do, I am frightened of giving them information that would be helpful to a hacker of their sites.
    The other problem is that I have unique passwords to 147 sites, you want me to change them all, am I unique having this many after 70 years?
    Most sites now use your email address for your name why not let you use something fictitious then hackers would have to guess two. My bank originally wanted my mother’s maiden name which happens to be Smith. I told them I refused to use it and used a code word. They also check the computer I am using for verification.

  20. C0rpz

    We claim to Leak Collection#1 – 7 Including antipublic Data breaches. – C0rpz #NullSecDidIt
    @ugq
    @NullSec1337

  21. kathleen jacksveel

    Scary, how many information were breached. My email was found in three instances of data breach. Reading though another forum, found that someone using the acronym datasiph0n is publishing the data breach databases online https://shoppy.gg/product/jWCDeeJ

  22. SteamCardGuy

    ATTENTION!!! ATTENTION!!! AWARENESS!!!

    Sanixer is a DIRTY RUSSIAN SCAMMER!!! Read carefully.

    So I read this article without reading the comments and taking consideration and I contacted him via Telegram. He first asked for BTC but since I didn’t have he said I could pay with Steam Gift Cards so that’s what I did, I bought 100 euro worth of gift cards and gave it to him just after to get blocked!!! I’ve had contact with other people who also have been scammed by him (150 dollar scam), the file is in a TORRENT! and those are only old leaks as the website suggests.
    I’ve been scammed for 100 EURO worth of Steam Money,

    DON’T MAKE THE SAME MISTAKE!!!

    BECAUSE BE AWARE, HE’S A SCAMMER!!!
    IN ANY WAY DO NOT TRUST HIM OR GIVE ANY CURRENCY OR MONEY!!!

    1. Readership1

      Why did you want to buy the password file?

      You’re surprised that a thief would steal from you?

  23. moon

    The problem with site breaches is more than password reuse. It’s that those sites had cruddy password encryption protection. It’s KNOWN how to protect a password file with encryption that isn’t going to be broken for a hundred years even if you have access to a supercomputer or thousands of GPU processors in a server farm.

  24. Anonymous

    We anonymous claim that we origionally made these 7 collections.
    Telling lies will not help.

  25. Stuffprime

    It’s scary as hell. Who knows what’s next! Those shady guys behind this hack are really good at it!

  26. download premium scripts

    Unquestionably believe that which you stated. Your favorite
    justification seemed to be on the internet the
    easiest thing to be aware of. I say to you, I certainly get annoyed while people consider worries that they just do not
    know about. You managed to hit the nail upon the top and defined out the whole thing without having side effect , people can
    take a signal. Will probably be back to get more.

    Thanks

  27. Jonathan

    I definitely use ( reuse same ) passwords on multiple websites .. but on these sites, I don’t signup using my main mail accounts, I use temp accounts and so even if these sites get attacked, I don’t care.

    As for my personal bank accounts and webmaster accounts, I use unique passwords. Furthermore, they don’t have email authentication system instead they send one-time-password to my personal cell number which I then have to type back within 120seconds or they will expire and after three trials, I have to recreate new user-id by entering all my personal details.

    So I think I am quite secured.

Comments are closed.