Collection 1 Collection #1 is the name of a set of email addresses and passwords that appeared on the dark web around January 2019. The database contains over 773 million unique email addresses and 21 million unique passwords, resulting in more than 2.7 billion email/password pairs. The list, reviewed by computer security experts, contains exposed addresses and passwords from over 2000 previous data breaches as well as an estimated 140 million new email addresses and 10 million new passwords from previously unknown sources, and collectively makes it the largest data breach on the Internet.
Collection #1 was discovered by security researcher Troy Hunt, founder of "Have I Been Pwned?," a website that allows users to search their email addresses and passwords to know if either has appeared in a known data breach. The database had been briefly posted to Mega in January 2019, and links to the database posted in a popular hacker forum. Hunt discovered that the offering contained 87 gigabytes of data across 12,000 files. Not only was this discovery of concern to Hunt, but he further found that the passwords were available in plaintext format rather than in their hashed version. This implied that the creators of this database had been able to successfully crack the hashes of these passwords from weak implementation of hashing algorithms. Security researchers noted that unlike other username/password lists which are usually sold on the dark web, Collection #1 was temporarily available at no cost, and could potentially be used by a larger number of malicious agents, primarily for credential stuffing.
Within a day, Brian Krebs, a cybersecurity journalist, had been in contact with one of those selling Collection #1, and learned there were seven additional collections of similar username/password combinations, with the total contents of the collections being more than 500 GB, compared to the 87 GB from Collection #1. The additional contents of these additional collections is not yet known.
By January 30, 2019, security researchers observed that similar sets of data, named Collections #2 through #5, have been seen for sale on the dark web. Collections #2-5 included over 845 gigabytes of data, with a total of 25 billion email/password records. Security researchers at Hasso Plattner Institute estimated that Collections #2-5, after removing duplicates, has about three times as much data as Collection #1. Many of the email/password pairs in the collection were found to be from previous breaches including the Yahoo! data breaches, and breaches from LinkedIn and Dropbox.
According to threat intelligence firm IntSights, Collection #1 through #5 had been compiled by a hacker known as Sanix; however, the data was leaked online by a rival data broker known as Azatej. Both hackers were arrested in May 2020. Azatej was arrested in Poland, and Sanix in Ukraine.
- Song, Victoria (January 17, 2019). "Mother of All Breaches Exposes 773 Million Emails, 21 Million Passwords". Gizmodo. Retrieved January 17, 2019.
- Barrett, Brian (January 17, 2019). "Hack Brief: An Astonishing 773 Million Records Exposed In Monster Breach". Wired. Retrieved January 18, 2019.
- Goodin, Dan (January 17, 2019). "Monster 773 million-record breach list contains plaintext passwords". Ars Technica. Retrieved January 18, 2019.
- Griffen, Andrew (January 18, 2019). "'COLLECTION #1' DATA BREACH IS JUST THE BEGINNING, CYBER SECURITY EXPERTS WARN". The Independent. Retrieved January 18, 2019.
- Greenberg, Andy (January 31, 2019). "Hackers Are Passing Around a Megaleak of 2.2 Billion Records". Wired. Retrieved January 31, 2019.
- "Massive 'Collection #1' Data Dump: What's In It and How Did it Happen?". intsights.com. Retrieved 2020-05-19.
- Cimpanu, Catalin. "Europol arrests hackers behind Infinity Black hacker group". ZDNet. Retrieved 2020-05-19.
- "В Івано-Франківську СБУ затримала відомого у світі хакера (додано відео)". Archived from the original on 2020-05-21. Retrieved 2020-05-19.