Massive "Collection #1" data breach has 1,160,253,228 email/password combos

Written over 1 year ago by IanDorfman

Troy Hunt, creator of account security checker Have I Been Pwned, has written a detailed report concerning what he's coined "Collection #1": A data breach that has impacted nearly 773 million unique email addresses, as well as 1,160,253,228 unique combinations of email addresses and passwords.

The report, posted on Hunt's personal blog, explains that this data is from "a collection of 2000+ dehashed databases and Combos stored by topic" and not just any one website or service.

768,000 people of the nearly 2.2 million signed up for notifications from Small Have I been pwned? iconHave I been pwned? were impacted by this breach and notified. In order to find out if your password specifically has been impacted by a breach in Collection #1 or any other past data breach, you can use Have I Been Pwned's "Pwned Passwords" checker tool which doesn't store the data input. Hunt said the following about the tool in his Collection #1 blog post:

"Yes, I'm still conscious of the messaging when suggesting to people that they enter their password on another site but in the broader scheme of things, if someone is actually using the same one all over the place (as the vast majority of people still do), then the wakeup call this provides is worth it."

As of the writing of his post, Troy states that the 21,222,975 breached passwords from collection one have been added to the Pwned Password checker, bringing the total in the tool up to 551,509,767 passwords. This is a freely available version of the "Watchtower" feature also used by online password management system Small 1Password icon1Password, which Hunt partnered Have I Been Pwned with starting 9 months ago.

Unsurprisingly, when recommending password managers in order to mitigate the risk of password reuse and subsequent breaching of multiple user accounts, 1Password is Hunt's go-to recommendation, which he explains in a dedicated page on the Have I Been Pwned website. For users that do not wish to use a paid password manager, a good local, free, and open source solution is Small KeePass iconKeePass (alongside derivatives of the project such as Small KeePassXC iconKeePassXC).

For users that do not feel ready to jump to a password manager tool like 1Password or Small LastPass iconLastPass, Hunt notes that even writing down passwords in a notebook is better than having no password management at all.

Hunt ended his post with a link to a Pastebin post of the list of impacted sites and services posted to hacking forum. That being said, it's much easier to use Have I Been Pwned to see whether or not accounts created using one of your email addresses has been impacted by Collection #1 or any other past data breach.

Further coverage:
Original findings by Troy Hunt