Researcher uncovers one of the biggest password breaches in recent history

Roughly 25 million of the passwords have never been seen before by widely used service.

Nearly 71 million unique credentials stolen for logging into websites such as Facebook, Roblox, eBay, and Yahoo have been circulating on the Internet for at least four months, a researcher said Wednesday.

Troy Hunt, operator of the Have I Been Pwned? breach notification service, said the massive amount of data was posted to a well-known underground market that brokers sales of compromised credentials. Hunt said he often pays little attention to dumps like these because they simply compile and repackage previously published passwords taken in earlier campaigns.

Not your typical password dump

Some glaring things prevented Hunt from dismissing this one, specifically the contents indicating that nearly 25 million of the passwords had never been leaked before:

1. 319 files totaling 104GB
2. 70,840,771 unique email addresses
3. 427,308 individual HIBP subscribers impacted
4. 65.03 percent of addresses already in HIBP (based on a 1,000 random sample set)

“That last number was the real kicker,” Hunt wrote. “When a third of the email addresses have never been seen before, that’s statistically significant. This isn’t just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it’s a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it’s from ‘stealer logs’ or in other words, malware that has grabbed credentials from compromised machines.”Advertisement

“thereisnofatebutwhat­wemake”—Turbo-charged cracking comes to long passwordsA redacted image that Hunt posted showing a small sample of the exposed credentials indicated that account credentials for a variety of sites were swept up. Sites included Facebook, Roblox, Coinbase, Yammer, and Yahoo. In keeping with the claim that the credentials were collected by a “stealer”—malware that runs on a victim’s device and uploads all user names and passwords entered into a login page—the passwords appear in plaintext. Account credentials taken in website breaches are almost always cryptographically hashed. (A sad aside: Most of the exposed credentials are weak and would easily fall to a simple password dictionary attack.)

Data collected by Have I Been Pwned indicates this password weakness runs rampant. Of the 100 million unique passwords amassed, they have appeared 1.3 billion times.

“To be fair, there are instances of duplicated rows, but there’s also a massive prevalence of people using the same password across multiple different services and completely different people using the same password (there are a finite set of dog names and years of birth out there…),” Hunt wrote. “And now more than ever, the impact of this service is absolutely huge!”

Hunt confirmed the authenticity of the dataset by contacting people at some of the listed emails. They confirmed that the credentials listed there were—or at least once were—accurate. For added assurance, Hunt also checked a sample of the credentials to see if the email addresses were associated with accounts on the affected websites. All of them did. Some of Hunt’s users reported that the passwords appeared to be valid as of 2020 or 2021. Hunt said that when he searched through the dataset, a password of his own that dated back to 2011 appeared. Whatever the date of the passwords, it stands to reason that unless they’ve been updated, they remain valid.Advertisement

Hunt’s password landing on the list suggests that a password stealer was installed on one of his devices. Hunt didn’t say as much, so confirmation or details weren’t immediately available. The underground market post advertising the dataset said it came from a breach dubbed naz.api that had been donated to a different site earlier.

Passkeys may not be for you, but they are safe and easy—here’s whyThere are dozens of useful primers online explaining how to properly secure accounts. The two main ingredients to account security are: (1) choosing strong passwords and (2) keeping them out of the sight of prying eyes. This means:

• Generating a long, randomly generated password or passphrase. These passcodes should be at least 11 characters for passwords and for passphrases at least four words randomly chosen from a dictionary of no fewer than 50,000 entries. Bitwarden, a free, open-source password manager is a good choice and a great way for less experienced people to get started.
• Preventing strong passwords from being compromised. This entails not entering passwords into phishing sites and keeping devices free of malware.
• Use two-factor authentication, preferably with a security key or authenticater app, whenever possible.
• Better yet, use passkeys, a new, industry-side authentication standard that’s immune to theft through stealer apps and credential phishing.

It’s also a good idea to either create an account with Have I Been Pwned? or periodically enter email addresses into the site search box to check if they appear in any breaches. To prevent abuse of the search, the site doesn’t log entered email addresses and no corresponding passwords are loaded with password data stored on the site. Have I Been Pwned also accepts a single email address at a time, except in certain cases. You can find more on the service and the security of using it here.

Have I Been Pwned also allows users to search its database for specific passwords. More about k-anonymity and other measures Hunt uses to prevent password exposure and abuse of his service is here.