Monster 773 million-record breach list contains plaintext passwords
Dan Goodin reports:
Have I Been Pwned, the breach notification service that serves as a bellwether for the security of login credentials, has just gotten its hands on its biggest data haul ever—a list that includes almost 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites.
According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller lists taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed “Collection #1,” the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks.
Read more on Ars Technica.