For several years now, Troy Hunt, a renowned security professional, has been supporting the site Have I Been Pwned (HIBP) with millions of records of stolen accounts. Anyone can check their email for leakage. Troy Hunt monitors hacker forums, buys databases that are put up for sale, sometimes these databases are sent to him for free. But never before have such a huge base been put up for sale as the current Collection #1.
The giant archive contains 2,692,818,238 entries with email addresses and passwords.
Hunt acquired the dump and carried out the analysis, although its huge size caused certain technical difficulties due to exceeding the 32-bit value.
Troy says he downloaded the archive from the Mega file sharing. Several informants promptly sent him a link to the file, but soon the archive was removed from the hosting. This archive contained more than 12,000 files with a total size of more than 87 GB. A link to the archive was published on one of the hacker forums, along with a screenshot confirming the contents of the archive. Here is the complete list of files.
You can see in the screenshot that the root folder is Collection #1. From the list of files, you can get some idea about the sources of information (itotal.ru, ineedtutor.ru. kazachok.com so on).
The forum post mentioned “a collection of more than 2,000 de-hashed databases and topic combinations” and a list of 2,890 files in the archive.
It is too early to talk about how reliable the information from the new database is. However, Troy Hunt found his email address and password there, which he used many years ago. “Fortunately,” he says, “only passwords that are no longer in use, but I still feel the same sense of dismay that many people reading this will when I see them pop up again. However, what I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago.”
The dump is made up of many different individual leaks, literally from thousands of sources. There are 1,160,253,228 unique combinations of email addresses and passwords. This is when processing passwords with regard to the register and e-mail addresses without register. Troy Hunt notes that there is a certain amount of garbage in this amount of information, because hackers do not always accurately format their dumps for information processing (a combination of different types of separators, including colons, semicolons, as well as a combination of different types of files, such as text files delimited, files containing SQL statements and other compressed archives).
At the same time, there are 772,904,991 new email addresses in the database. All data is already uploaded to the site and searchable. It should be noted that this is the largest update in the history of HIBP.
21,222,975 unique passwords were also detected. As in the case of email addresses, this figure is obtained after applying a set of rules to maximally clear the database of duplicates as much as possible, including deleting passwords in a hashed form, ignoring strings with control characters and fragments of SQL, etc. After adding new data, the total number of unique entries in the database of the HIBP website increased to 551,509,767.
Troy Hunt admits that after processing this database on cloud hosting, he will have an unpleasant conversation with his wife on a financial issue.
You can check your email directly on his website, as well as through the API or Firefox Monitor service. This tool creates a SHA-1 hash for the mailing address entered and checks the HIBP base using the first six digits. For example, email@example.com turns into 567159D622FFBB50B11B0EFD307BE358624A26EE, and only 567,159 is used to search the database. In response, the leak aggregator “returns” possible matches, if any. At the same time, the email address is not transmitted in any obvious form. Then Firefox Monitor searches the full hash. If a match is found, the user is told exactly what data leaks have affected his personal data, and also strongly recommended changing passwords.