Skip to main content

1.1 Billion Logins Exposed in Huge Data Dump: What to Do

Ooh, this is a big one. More than 1.1 billion unique sets of email addresses and passwords, totaling 87GB, were found in a massive trove of compromised login credentials collected in thousands of data breaches going back many years.

Credit: designer491/Shutterstock

(Image credit: designer491/Shutterstock)

When duplicates are eliminated, there are 773 million unique email addresses and 21 million unique passwords in the data dump, wrote Australian security blogger Troy Hunt in a posting today (Jan. 17). Some of the email addresses were linked to more than one password, and most of the passwords were either still "hashed" or were linked to more than one email address.

The good news is that fully 80 percent of the compromised credentials were already known to be compromised, explained Hunt. Nonetheless, that leaves about 140 million email addresses that haven't previously popped up in disclosed data breaches.

What to Do Now

To check to see whether your email address is in this data dump, or any previous known one, go to Hunt's Have I Been Pwned website. There's a separate page called Pwned Passwords that lets you check if any of your passwords have been compromised.

MORE: Best Password Managers

Hunt said he found the credentials cache on MEGA, the file-sharing website run by rogue tech mogul Kim Dotcom, after receiving several tips. The data dump was being advertised on a hacking forum as "a collection of 2000+ dehashed databases and Combos stored by topic."

Hunt posted a list of 2,890 websites that may (or may not) have been sources of the stolen credentials here. Most of them (there are some duplicates) seem to be lesser-known sites run by small businesses or individuals.

It's not clear how old the data is, but Hunt wrote that "my own personal data is in there and it's accurate; right email address and a password I used many years ago."

How Passwords Work -- and Fail

Most websites don't store your password, but rather the "hash" of your password -- the result of a mathematical calculation that spits out a long string of numbers and letters that is theoretically impossible to reserve.

When you log into a site, the site takes the password you type in, runs it through the same mathematical calculation and compares the resulting hash to the password hash on file. If the hashes match, you're granted access.

Unfortunately, older algorithms used to generate password hashes can be reversed using modern computers. That's probably how the 21 million plaintext passwords in this data trove were "cracked."

If your email address pops up in Hunt's Have I Been Pwned database, that does not necessarily mean that any or all of the associated passwords have been cracked. But it's likely.

And if a password that you consider to be unique and strong does show up in Hunt's associated Pwned Passwords database, then it's time to stop using that password.

To keep all your passwords strong and unique, try using a free or paid password manager. You'll have to remember only one password, and the manager will do the rest.

Best Identity Protection Services

  • alceryes
    Change all your passwords or start using a good password manager. Carry on with your day.

    If you want, go to the 'Have I Been Pwned' website to check your email address/passwords. Although I know it's a 100% legit site, I only checked my email addresses. I just can't bring myself to typing my passwords in for anything but actually authenticating using that password. Irrational, I know, but that's me.

    Use common sense with your passwords.
    If you don't want to use a password manager or use a different password for each and every single login, at least create tiered passwords so that you're not using the same password for your email or bank accounts (highest security) as you do for forums and registration services that you'll almost never use and don't gather critical info about you (lowest security). Usually, 4 or so tiers of passwords are good enough, if used properly.

    Remember the authentication/account verification chain.
    NEVER use the same passwords for services that are used to verify your identity with other services. Email and bank accounts are two of the big ones here. Most banks will email you about suspicious activity and/or for verification. If your passwords are different between the account that is compromised (bank, for example) and the account used for verification (email, for example), that will stop a would-be thief in his or her tracks.

    Don't use Post-It note (or ePost-It note) security
    It's best not to write down your passwords, but if you must, keep it behind some heavy security, like FaceID or fingerprintID. Also, if you do have a password list somewhere, make it only part of the puzzle. For example, if you password for Tom's Hardware site is Password456 list the password as Pa***6 (or something like that). That way even if someone gets that far 'inta yo bidness' they STILL don't have your actual passwords. The starred-out password should be enough of a hint for you to know which password it is.
    Reply
  • InfoSponge16
    Paul, informing people of this type of activity is a good thing to do.

    Changing passwords and even emails is a good thing to do.

    I became aware of the issue reading online.

    Through the article, they included info advising to check on haveibeenpwned.<<phishers

    Remember that that hackers use social engineering to get us to provide information, or phishing.

    Reply
  • alceryes
    21690331 said:
    Paul, informing people of this type of activity is a good thing to do.

    Changing passwords and even emails is a good thing to do.

    I became aware of the issue reading online.

    Through the article, they included info advising to check on haveibeenpwned.<<phishers

    Remember that that hackers use social engineering to get us to provide information, or phishing.

    Are you saying the haveibeenpwned website is actually a phishing site?
    If yes, are you just guessing? Can you supply evidence to show this is the case?
    Reply
  • Paul Wagenseil
    Have I Been Pwned is not a phishing site. The guy who runs it is a legitimate and well-known security researcher.

    If you want to check your email address on Have I Been Pwned, that's on one page. If you want to check your password, that is on another page.

    You will not be able enter both credentials on the same page, and that's by design. Have I Been Pwned does not want third parties to use the site to check the validity of email/password combinations.
    Reply