It turns out that the widely circulated (something something) Collection #1 was actually used by hackers to launch credential stuffing attacks.
These attacks were fully automated as well.
The hugely popular website by the name of Have I Been Pwned (more specifically, a breach notification online service) which has taken the job of serving as the bellwether for login credentials security, has managed to get its hands on perhaps the biggest (and potentially the most damage-causing) data haul in the history of data breaches.
In other words, it now has access to a list that includes close to 773 million unique user email address along with 21 million unique user passwords.
These usernames and passwords, needless to say, were used by various online consumers to log into a variety of third-party online services and websites.
Troy Hunt, the founder of the above-linked website Have I Been Pwned recently published a post (more specifically on Wednesday).
And according to him, the list is a monster one.
In reality, the list is actually a compilation of a vast number of smaller such lists which have been taken from various past data breaches.
Over the past week, the list has been in wide circulation.
As it turns out, someone also posted the 773 million mega data breach list on the file sharing site MEGA.
Furthermore, some publications have mentioned that at least a single of the many other included data breaches dated way back to around 2015.
The community has dubbed the list has Collection #1.
And perhaps rightly so.
It is highly likely that someone aggregated the data breaches list by scraping together many different pieces of data.
Moreover, it also looks like the person who released this list wanted it to serve as the master data breach list which hackers of various kinds could make use of in their upcoming login credential stuffing cyber attacks.
Such cyber attacks make use of various automated scripts for the purposes of injecting login credentials from a given breached website to another, and different, website.
All the while, such hackers hope that the holders of the accounts made the mistake of reusing the same username and password on different sites.
The latest monster list of 773 million user email address along with 21 million user passwords doesn’t even have to work up a sweat in order to beat the previous record on Have I Been Pwned for data breaches.
Previously, the notification that held the record of the largest ever data breach contained a total of 711 million records.
However, apart from the numbers, there are actually many other things which make the latest installment of data breaches stand out from the crowd.
Without applying too much match, it turns out that the breach contains a total of 1.16 billion password-email combinations.
What does that mean for the end user and the rest?
It means that the latest Collection #1 data breach list pretty much covers the same online consumers a multiple number of times.
However, in many of such cases, users will have different passwords for the services and the apps that they use.
Another significant factor here is that the Collection #1 list contained a total of 12000 separate files.
These 12000 files managed to take more upwards of 87 gigabytes of hard disk space.
That is a lot of space.
We have also come to know that the list probably has around 2.69 billion rows.
Quite a few of these rows would represent duplicate entries which Troy Hunt had no choice but to clean up and remove.
Readers should also know that around 663 million of the 773 million user email addresses included in Collection #1 had previously made its way to other lists on Have I Been Pwned notifications.
That further means that a total of 140 million of such email addresses are still valuable for hackers as Have I Been Pwned has probably never seen them before.
The service now has certainly seen them though.
Troy Hunt recently mentioned that he had actually found some of his very own login credentials included in the service’s notification that came on Wednesday.
It is another fact that Troy Hunt has none of those credentials currently in use on some app or another service.
Apart from that, it has also come to our attention that Have I Been Pwned has already put the resources together to begin the non-trivial job of sending out emails to more than a total of 768,000 individuals who have signed up for Have I Been Pwned notifications.
And while Have I Been Pwned is it at, it also has the unenviable task of informing close to 40,000 other people who monitor different domains.
Any of our readers who still have not gone through the small inconvenience of signing up on Have I been Pwned can still do so and check the status of his/her primary email address by clicking here.
Troy Hunt also wrote that people would continue to receive various notifications.
Some would brose to the login credential checking website.
Both groups, when they find themselves on the site, would know that the site actually acts as a reminder about how various actors in the internet are misusing their personal data.
Now, the thing we want you to understand here is that, if you (just like the author of this post) have found your name of the list then know that there are people in different parts of the globe who are hell bent on breaking into your personal and sensitive online accounts.
Moreover, they are distributing that list among themselves.
And guess what they want to do with it?
that’s it right.
They want to take advantage of any and all shortcuts that users just like you and us, may have taken with regards to their online privacy and security.
Troy Hunt also mentioned that one of the most frequently asked questions that he gets from various people is that if he will upgrade his Have I Been Pwned tool to divulge the user password which accompanied the compromised user email address in a given data breach.
For reasons that we will talk about now, Troy Hunt has so far steadfastly refused to do so.
And he has given good reasons for doing so.
Let’s take a look at a couple of them.
The first reason he gives is that if he ‘upgrades’ his service to act as a lookup service that has the ability to pair user names and user passwords, then that would undoubtedly promote his online service to become the most sought-after target of various online hackers and hacker groups.
Moreover, having such a feature would also require Troy Hunt himself to sort out the task of storing passwords in nothing but clear text.
This is something that no website no matter where in the world should ever think about doing.
With that said, there is a tool that Have I Been Pwned has put up here which enables users just like you to check and confirm if a specific given piece of text or string of text has ever managed to show up in a given Have I Been Pwned data breach notification.
Of course, for obvious reasons some of which we have discussed above, the page decouples all the passwords that it shows to users from the user email addresses that made us of it.
No one should need more convincing that Collection #1 is nothing but huge.
However, it is also true that one simply cannot precisely compare it with some of the other big data breaches in the past.
It is very tempting to simply go ahead and compare Collection #1 to the previous Yahoo hacks that took place in 2014 and then in 2013.
Reports back then said that the 2014 Yahoo attack had compromised a total of 500 million accounts while the 2013 Yahoo attack compromised around 3 billion accounts.
Also, another hack happened in 2016 which made the previous attacks proud by revealing account details for more than 412 million accounts on AdultFriendFinder, a sex and swinger community website that no one should ever go to.
There was another breach which happened at Equifax.
That one allowed hackers to find a lot of success in stealing data that belonged to over 147.9 million online consumers.
But again, such comparisons are, in a lot of respects, like comparing apples to oranges.
Why do we say that?
We say that because many small data breaches seeded Collection #1 to make it massive.
And a lot of these smaller data breaches had already made it to the lists at Have I Been Pwned.
Now, no one should take from this that Collection #1 is not important.
Despite the fact that it recycles some of the previously compromised and breached login credentials, the fact that the list is widely available for anyone and everyone to see and download no doubt makes Collection #1 very damaging.
Now things have become ever easier even for those miscreants who do not have much skills.
They too can capitalize on this same bevy of data breaches which have happened in the last decade alone.