Credential Attackshigh

Collection #1: 773 Million Unique Credentials Dumped in One Post

Security researcher Troy Hunt discovered a 87GB collection of credential pairs being shared on hacker forums — 773 million unique email addresses and over 21 million unique passwords, compiled from thousands of previous breaches.

Global / Have I Been Pwned·2019·2 min read

Background

Troy Hunt, creator of the Have I Been Pwned (HIBP) data breach notification service, was alerted to Collection #1 in January 2019. It was being distributed via a popular hacking forum and via Mega cloud storage. The file collection had 12,000 separate files totalling 87GB.

The Attack

Collection #1 was a mega-compilation of previously breached credentials — email-password pairs extracted from thousands of separate data breaches over many years and compiled into a single searchable collection. It contained 772,904,991 unique email addresses and 21,222,975 unique passwords, presented in clear text or easily cracked form. The collection was de-duplicated and sorted for easy use in credential stuffing attacks. Security researchers found that most individual records had appeared in prior breach disclosures — it was a compilation, not a new breach.

Response

Troy Hunt added all 773 million email addresses to Have I Been Pwned, making it one of the largest single additions. The collection drove significant traffic to HIBP as millions checked their addresses. Security teams at major organisations cross-referenced their user bases. Subsequent Collections #2-5 were released, comprising another several billion records.

Outcome

Collection #1 represented a democratisation of credential stuffing: previously, large credential databases required connections to underground markets. Publishing 773 million records publicly meant anyone with a computer could conduct credential stuffing at scale. The incident drove adoption of HIBP for enterprise credential breach monitoring.

Key Takeaways

  1. Monitor your domain's email addresses in breach notification services (HIBP) — know immediately when employees are in credential dumps
  2. Credential stuffing attacks become significantly more effective as compilation databases grow — enforce password uniqueness
  3. Breached credentials from one service will be tested against all other services — assume any leaked password is compromised everywhere the same password was used
  4. Passwords from breaches conducted years ago are still being actively used in attacks today
credential stuffingCollection #1HIBPmega dumppassword reuse

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2009high

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks