Troy Hunt, the security researcher behind the HaveIBeenPwned website has added a massive list of compromised email addresses and passwords to his database.

The data set, called “Collection #1” has been circulating in some shady parts of the internet and includes 772.9 million email addresses and 21.2 million passwords — which have been dehashed (meaning they’re in plain text).

Much of this data was actually already available, but there do seem to be a substantial number of new email addresses and passwords in the list, so it’s probably a good time to check and see if your data has been involve in any known data breaches — and then change your passwords for all affected services.

Hunt offers two secure tools that can help: HaveIBeenPwned lets you search by email address to see what known data breaches your address has been involved in, while the Pwned Passwords tool lets you search by password (but doesn’t tell you which sites/services have been compromised).

You can also find a list of all the sites associated with Collection #1 if you want to search by name.

All told, the latest news is yet another reminder that odds are your data is going to get leaked sooner or later (and probably repeatedly). So the best thing you can do to minimize the risk is to use different passwords for every account you have, and enable multi-factor authentication whenever possible.

Of course, you probably have dozens or hundreds of different accounts… so you’re probably going to want to use a password manager so you don’t have to remember all those different logins.

A password manager can be as simple as an Excel spreadsheet or piece of paper that you keep in a drawer. But I’m partial to tools built for the job like KeePass, 1Password, Dashlane, and LastPass.


Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign


Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

Subscribe to Liliputing via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 9,543 other subscribers

11 replies on “Time to change your passwords: Data breach exposes 773 million email address, 21 million passwords”

  1. Isn’t this really just the leaking of passwords on sites where the login is an email address? That’s a bit different than having your email address hacked.

    1. That’s my question. I get that my main email is listed in “pwned” db. But it isn’t the actual email, just some commercial account that I use that email. I hope. So which account(s) on which websites were jacked?

      1. The website shows you which of your accounts related to the email was hacked. For example, it might be Dropbox–which is a concerning hack. Or it might be Disqus, which is not as concerning, unless the password for your email and your password for Disqus are the same!

  2. I think it’s a good idea to segregate websites into categories:
    1- financial/official websites and emails: use unique strong passwords. E.g. Bank account, government services & work
    2- semi-official websites: such as hotels, flight booking and shopping websites: use good passwords but not necessarily unique and don’t strore credit card info on them.
    3-That stupid forum or website that won’t let you see the posts until you register and login: such as quora, any news website, comments platforms, pinterest: use a burner email to register and any password even if it is just password. Just make sure you don’t use the same password as the email address you registered with. Don’t give them any real info about yourself.

    Also, segregate your email addresses based on the activity: for example, use only 1 email for all your shopping, another for the bank-related communication, a 3rd for social media and a 4th for other websites. This also help avoid spear phishing attacks

    1. It’s even simpler:

      1. Don’t memorize passwords, use a password manager.
      2. Use unique strong, randomly generated passwords, for every site. Password managers help.
      3. Don’t memorize passwords, use a password manager.
      4. If you can*, and the nature of the site allows it**, use a unique e-mail address for every site. Password managers will also record your login/unique e-mail address.
      5. And don’t memorize passwords, use a password manager.

      Anything else is actively asking for trouble. Data breaches don’t care about your categorization.

      *) Not everyone has access to a catch-all email domain
      **) Some sites, by their nature, require you to be found by your public e-mail address.

      1. What’s a public email address when speaking of private individuals, how different it is from a private one, and which sites require it? This concept is new to me. I agree with your main premise, that you should use a password manager, however.

        1. “Private individuals” are probably not in need of such sites, but then “private individuals” is a restriction you are applying to this discussion. Mainly these are collaborative sites in a business environment where people need to find you by the address you hand them on your business card, or sites that contact other people stating your e-mail address.

          1. You are right that I probably should have added small business owners to private individuals as well. But still, perhaps I don’t fully understand what do you want to get to. Let’s say I have a business card with my clean email address I hand out to clients and business partners. Still, I can just sign up to LinkedIn and similar sites with my gibberish email address as well. I don’t see it as a problem that as a small business owner I use more than one email address and the business partner wants to find me on LinkedIn (for whatever reason, that site sucks, but that’s just my opinion), he doesn’t have to be surprised that entering my email address from my business card won’t help him find me there. Maybe entering my name (or asking me to add him) will. It all depends on your business and circumstances, of course.

      2. Totally agree on the password manager bit. I also think that using two factor authentication is an important part of this – for the password manager itself, as well as the tier 1 services (financial, governmental)

Comments are closed.