No matter how careful you are about creating strong passwords and keeping your data private, chances are good that some of your passwords will eventually leak. Huge troves of stolen data are being sold and distributed online every week, but a recent breach was so substantial that it even took Have I Been Pwned? creator Troy Hunt by surprise.
In a recent blog post (via Futurism), Hunt said that he was recently made aware of a credential stuffing list (a collection of compromised user credentials, such as usernames and passwords) that had been posted to a popular hacking forum.
These lists pop up all the time, and as Hunt notes, they’re usually just repackagings of previous lists containing the same information. This one’s different. According to Hunt, this leaked dataset contains nearly 71 million unique email addresses, and more than a third of the email addresses have never been seen before in previous leaks.
Hunt says that the new data in the credential stuffing list is “from “stealer logs” or in other words, malware that has grabbed credentials from compromised machines.”
Hunt tested a random sample of email addresses to see if they were actually connected to the sites and services in question, and they all worked. While many of the username and password combinations will be out of date, this is clearly legitimate data. There are hundreds of millions of passwords in the list — at least one of yours is likely among them.
That’s the bad news. The good news is that Troy Hunt and his team have made all of the email addresses searchable in HIBP and uploaded all of the passwords to Pwned Passwords. If your data was part of this leak, you’ll be able to find it on haveibeenpwned.com.
Needless to say, you should probably take this opportunity to change your passwords.