2019 megabreach: Researcher finds largest collection of breached data

NEW YORK, U.S. - In a revelation that has emerged as one of the biggest shockers in the global cybersecurity industry so far this year, a trove of the largest collection of breached data from across the world has been found. 

A security researcher has discovered the 87GB data dump, that reportedly contains a whopping "1,160,253,228 unique combinations of email addresses and passwords."

The breached data, called the 'Collection #1' has been discovered by Troy Hunt, who runs the Have I Been Pwned website and posted details about the database in a blog post. 

Hunt wrote that he found a massive folder containing about 12,000 separate files on the cloud platform MEGA, with nearly 87GB of data. 

Digging deeper

According to Hunt, the data was made up of "many different individual data breaches from literally thousands of different sources."

He estimated, "Collection #1 has 2,000 separate databases that contain 1,160,253,228 unique combinations of email addresses and passwords and 21,222,975 unique passwords."

In the blog post, Hunt wrote that most of the email addresses compiled in Collection #1 have appeared in previous breaches, including the 2008 hacking of 360 million MySpace accounts and the 2016 exposure of 164 million LinkedIn accounts.

According to his breach-notification service, there are about 140 million email addresses and 10 million passwords in the collection that have never been seen before. 

Hunt claims that those "email addresses could come from one large unreported data breach, many smaller ones, or a combination of both."

The databases discovered by Hunt contained fully exposed, 'rehashed passwords' - which he said makes the users vulnerable to credential stuffing, where compromised login credentials are used to hack into other accounts associated with them.

Experts boggled

Reports noted that MEGA administrators have now taken down the 87gb download but not before it was downloaded multiple times. 

Commenting on the mega-breach, a cybersecurity expert at ESET U.K., Jake Moore was quoted as saying, "It is quite a feat not to have had an email address or other personal information breached over the last decade. If you’re one of those people who think it won’t happen to you, then it probably already has. Password-managing applications are now widely accepted, and they are much easier to integrate into other platforms than before. Plus, they help you generate a completely random password for all of your different sites and apps. And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites."

Meanwhile, cybersecurity journalist Brian Krebs revealed that Collection #1 is just one batch of data being offered by a seller who claims to have at least six more. 

Alex Holden, CTO of Hold Security told KrebsOnSecurity that the data appears to have first been posted to underground forums in October 2018.

Holden, who runs the company specializing in trawling underground spaces for intelligence about malicious actors and their stolen data dumps, explained that Collection #1 is "just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.