Security expert Troy Hunt, who operates Have I Been Pwned, recently received 2 billion unique email addresses that were found across multiple malicious lists and internet sources, including 1.3 billion unique passwords. Like the 183 million breached email addresses from before, this data comes from an aggregated collection by security firm Synthient, which collates and summarizes from various data leaks.
After processing, the data set now only contains unique credentials (i.e., no duplicate combinations) that were intercepted by Infostealer software. These were either freely available on the internet or could be collected via Telegram groups. You should definitely check the HIBP website to see if your accounts are compromised.
How the data was checked
In a blog post, Troy Hunt describes how he checked the data records for correctness and accuracy. Firstly, he entered his own name and found an old email address from the 90s that he had actually used. He also found several linked passwords, but only one actually belonged to his account.
He then contacted several people who followed his email list, who were also asked to check their data. Some stated that they had found old passwords that were no longer used, while others also discovered current access data for their accounts. Some of the data therefore dated back several decades, while other data was new.
Hackers also use this procedure of trying out different combinations. With “credential stuffing” (as this method is called), it doesn’t matter how old the data is. Since many people rarely change their passwords, attackers can test out various known credentials until they eventually succeed. Even insecure passwords (such as “12345”), dates of birth, or names can be cracked quickly.
Check if your password is compromised
Hunt uploaded the passwords to his Pwned Passwords database, where you can also check whether a particular password has already been cracked. The passwords are saved without an associated email address, so it’s only about the security of the password itself.
For security purposes, it doesn’t matter whether you have already used an insecure password or someone else has: “If you have a password of ‘Fido123!’ and you find it’s been previously exposed (which it has), it doesn’t matter if it was exposed against your email address or someone else’s. It’s still a bad password because it’s named after your dog followed by a very predictable pattern. If you have a genuinely strong password and it’s in Pwned Passwords, then you can walk away with some confidence that it really was yours. Either way, you shouldn’t ever use that password again anywhere.”
Hunt recommends regularly checking your own passwords and email accounts (even if they’re just throwaway email addresses). After all, you never know who else could get hold of your data.
Further reading: How to check if your email address is compromised
