A collection of files containing around 773 million unique email addresses and 21 million unique passwords was leaked on the Mega Cloud service, claims security researcher Troy Hunt.
However, the massive collection has since been removed from the platform. According to Hunt, the data dump he dubs “Collection #1”, includes over 12,000 separate files and is more than 87GB in size.
It contained 772,904,991 email addresses and 21,222,975 passwords, allegedly from many legitimate breaches that Hunt recognises in that list.
He adds that it is also entirely possible that some of them are from services that haven’t actually been involved in a data breach at all.
“It’s made up of many different individual data breaches from literally thousands of different sources,” says Hunt, the founder of Have I Been Pwned service which allows users to check if their accounts have been compromised in data breaches.
Hunt says that his own personal data is in the collection and that it is accurate. “Right email address and a password I used many years ago,” he says.
You can go to Have I Been Pwned and Pwned Passwords to check if your email addresses or passwords are in the lists. If they are, then change your passwords immediately, says Hunt.
“People take lists like these that contain our email addresses and passwords and then they attempt to see where else they work. The success of this approach is predicated on the fact that people reuse the same credentials on multiple services,” he says.
“Perhaps your personal data is on this list because you signed up to a forum many years ago you’ve long since forgotten about, but because its subsequently been breached and you’ve been using that same password all over the place, you’ve got a serious problem.”
According to Hunt, when hackers have access to huge numbers of login data they would employ bots to access multiple services with the same information, a technique called credential stuffing.
Hunt also adds that websites usually experience a spike in login attempts, some as many as three times, after a massive data breach.
This data leak goes to show that no one should be reusing their old passwords for new services. If you are, now is the time to change that.