The enormous amount of leaked data has exposed 772,904,991 email addresses and over 21 million passwords on a hacking forum. The leak information was first reported by Troy Hunt, a security researcher. Hunt operates a site Have I Been Pwned, that allows users to search if their email or password has been compromised at any point.

Troy Hunt is the Australian Microsoft Regional Director for Microsoft and has been awarded Microsoft’s Most Valuable Profession for developer security. He has testified before the US Congress in relation to the impact of data breaches. For more information about Troy Hunt, check out his bio page.

The Breach

This leak is made up from many individual data breaches from thousands of sources. Hunt has the entire list, called Collection #1 on his website. Collection #1 contains over 12,000 files, roughly 87GB of information. The information was compiled over 2,000 breached databases that have been hacked and decrypted. Hunt told WIRED, “It just looks like a completely random collection of sites purely to maximize the number of credentials available to hackers. There’s no obvious patterns, just maximum exposure.’

Now What?

If you are concerned that your password was included in a breach, you can go to Have I Been Pwned and see if you email has been registered in a breach. Following that, start resetting passwords if your email came up. Even if your account has not experienced a breach, it still is a good idea. Hunt has also introduced a password search feature. Again, if your password is on this list, you should change it.

While this leak only contains email addresses and passwords, it is still serious. 140 million email accounts and more than 10 million passwords are new to Hunt’s database. Therefore, the information has not been included in any other known breaches. Also, the passwords were posted in plain text, meaning anyone one with basic hacking skills could easily access them. In addition, the information was posted on a public cloud service. Most of the time, leaks like these are bought and sold on the dark web. This list was free for anyone with access to the cloud service and basic skills to download.

We recommend finding and getting a password manager to keep your online credentials safe. Users must use and remember a strong master password. The stronger the password, the better the security. Likewise, two step authentication is also an important security layer. Another way to make sure your accounts are secure is to change your passwords often. Some business will require employees to change their passwords every 90 days for security. Check out our blog post about password managers.

If you found this article interesting or helpful, check out our other posts!