1.1 Billion Logins Exposed in Huge Data Dump: What to Do

Ooh, this is a big one. More than 1.1 billion unique sets of email addresses and passwords, totaling 87GB, were found in a massive trove of compromised login credentials collected in thousands of data breaches going back many years.

Credit: designer491/Shutterstock

(Image credit: designer491/Shutterstock)

When duplicates are eliminated, there are 773 million unique email addresses and 21 million unique passwords in the data dump, wrote Australian security blogger Troy Hunt in a posting today (Jan. 17). Some of the email addresses were linked to more than one password, and most of the passwords were either still "hashed" or were linked to more than one email address.

The good news is that fully 80 percent of the compromised credentials were already known to be compromised, explained Hunt. Nonetheless, that leaves about 140 million email addresses that haven't previously popped up in disclosed data breaches.

What to Do Now

To check to see whether your email address is in this data dump, or any previous known one, go to Hunt's Have I Been Pwned website. There's a separate page called Pwned Passwords that lets you check if any of your passwords have been compromised.

MORE: Best Password Managers

Hunt said he found the credentials cache on MEGA, the file-sharing website run by rogue tech mogul Kim Dotcom, after receiving several tips. The data dump was being advertised on a hacking forum as "a collection of 2000+ dehashed databases and Combos stored by topic."

Hunt posted a list of 2,890 websites that may (or may not) have been sources of the stolen credentials here. Most of them (there are some duplicates) seem to be lesser-known sites run by small businesses or individuals.

It's not clear how old the data is, but Hunt wrote that "my own personal data is in there and it's accurate; right email address and a password I used many years ago."

How Passwords Work -- and Fail

Most websites don't store your password, but rather the "hash" of your password -- the result of a mathematical calculation that spits out a long string of numbers and letters that is theoretically impossible to reserve.

When you log into a site, the site takes the password you type in, runs it through the same mathematical calculation and compares the resulting hash to the password hash on file. If the hashes match, you're granted access.

Unfortunately, older algorithms used to generate password hashes can be reversed using modern computers. That's probably how the 21 million plaintext passwords in this data trove were "cracked."

If your email address pops up in Hunt's Have I Been Pwned database, that does not necessarily mean that any or all of the associated passwords have been cracked. But it's likely.

And if a password that you consider to be unique and strong does show up in Hunt's associated Pwned Passwords database, then it's time to stop using that password.

To keep all your passwords strong and unique, try using a free or paid password manager. You'll have to remember only one password, and the manager will do the rest.

Best Identity Protection Services

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.