Troy Hunt reveals details of mega-MEGA password dump

Have I Been Pwned operator adds ‘Collection #1’ to security notification service

Troy Hunt, the operator Have I Been Pwned, has revealed details of what he described as the largest single dump of emails and passwords he has encountered.

Hunt dubbed the 87GB dump “Collection #1”. The collection comprised more than 12,000 files and was found on file-upload service MEGA. Hunt said that the dump had been discussed on a “popular hacking forum”.

“The post on the forum referenced ‘a collection of 2000+ dehashed databases and Combos stored by topic’ and provided a directory listing of 2,890 of the files,” Hunt wrote. The security researcher has posted a copy of the directory listing, which includes 32 domains and subdomains.

Collection #1 includes 1,160,253,228 unique combinations of email addresses and passwords, Hunt said. In total, there are 772,904,991 unique addresses (and 21,222,975 unique passwords).

The dump is made up of “many different individual data breaches from literally thousands of different sources,” Hunt wrote.

Hunt said that although he recognised “many legitimate breaches” in the directory list, “it's entirely possible that some of them refer to services that haven't actually been involved in a data breach at all.”

However he added that he found an email address and password combination that he had personally used “many years ago.”

Have I Been Pwned is a free notification service operated by Hunt that alerts people when their email address is included in a data dump.