Infosec researcher Troy Hunt has revealed that more than 700 million email addresses have been floating around “a popular hacker forum” - along with a very large number of plain text passwords.
The data dump, which Hunt has uploaded to his Have I Been Pwned site for people to check if they’re included, comprises “1,160,253,228 unique combinations of email addresses and passwords”, in Hunt’s words.
“I found a combination of different delimiter types including colons, semicolons, spaces and indeed a combination of different file types such as delimited text files, files containing SQL statements and other compressed archives,” he added in his blog post announcing his find.
After cleaning up the data, Hunt boiled it down to 772.9 million unique email addresses, along with 22.2 million unique passwords. He estimated the hacked credentials were from the years 2008-2015.
The addresses and passwords were found lurking on Mega, the latest incarnation of rotund rascal Kim Dotcom’s file sharing website. It comprised “more than 87GB of data”.
While Hunt emphasised that he hasn’t exhaustively verified whether this is all new data or if it’s (even in part) a compendium of old creds floating around hacker forums, he did say: “My own personal data is in there and it's accurate; right email address and a password I used many years ago.”
Security firm ESET’s Jake Moore opined: “There has never been a better time to change your password… If you’re one of those people who think it won’t happen to you, then it probably already has. Password managing applications are now widely accepted, and they are much easier to integrate into other platforms than before.” ®