Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Have I Been Pwned adds new dataset of 361m email addresses

Troy Hunt’s Have I Been Pwned website has been updated with a 122-gigabyte list scraped from “thousands of Telegram channels”.

user icon David Hollingworth
Wed, 05 Jun 2024
Have I Been Pwned adds new dataset of 361m email addresses
expand image

Australian security researcher Troy Hunt has added a vast new dataset to his database of compromised email addresses, Have I Been Pwned.

The 122-gigabyte dataset was sent to Hunt last week by another security researcher. The data was scraped from thousands of Telegram channels and includes a large number of email addresses not previously seen in data breaches.

“I’ve loaded it into Have I Been Pwned (HIBP) today because there’s a huge amount of previously unseen email addresses, and based on all the checks I’ve done, it’s legitimate data,” Hunt said in a 4 June blog post.

============
============

The data comprises 1,700 files, 2 billion lines, and 361 unique email addresses (including this author’s), and, in many cases, alongside passwords and the websites they belong to.

How that data was collected illustrates how the hacking community regularly trades the personal data of millions of individuals, particularly on Telegram. The social media platform is popular because of its privacy and security, which also allows for the anonymous posting of data such as stolen credentials – this is why it’s so popular as a platform for hackers, particularly politically motivated hacking collectives.

This data is posted in “combo-lists” – data sets that combine email addresses with passwords.

“The combination of these is obviously what’s used to authenticate to various services, and we often see attackers using these to mount ‘credential stuffing’ attacks where they use the lists to attempt to access accounts en masse,” Hunt said.

The data Hunt recently uploaded was scraped from 518 discrete Telegram channels, totalling 1,748 files. Hunt tested a sample of these emails by entering them into the services they were associated with, which then generally returned a prompt to enter a password or a prompt saying that an account with that email already exists – either way, confirming the validity of the data.

“I’m not going to test the password because that would constitute unauthorised access,” Hunt said. But that’s not the goal, Hunt noted – but it does prove the data is real.

Hunt did, however, use his subscriber database to reach out to registered users of his site, and many were more than happy to confirm that the email and password combos were completely legitimate. Many of these users had their credentials compromised in multiple previous combo-lists and data breaches, but Hunt wanted to understand where the new, unique credentials may have come from – some of whom appeared more than 100 times for a wide range of websites.

Working with his subscribers, Hunt concluded info-stealer malware was likely the culprit, particularly with one subscriber who was a customer of German telco Deutsche Telekom and who had been advised by the telco that their account had been compromised – alongside passwords provided by Telekom and stored in Firefox by the customer.

“Stealer malware explains both the Telekom password and why passwords in Firefox were obtained; there’s not necessarily anything wrong with either service, but if a machine is infected with software that can grab passwords straight out of the fields they’ve been entered into in the browser, it’s game over,” Hunt said.

Hunt concluded with the advice he always gives in these cases, and that’s because most people use pretty poor passwords or do not pay enough attention to keeping their software and devices up to date.

“So, if you’re in here, what do you do?” Hunt said.

“It’s a repeat of the same old advice we’ve been giving in this industry for decades now, namely keeping devices patched and updated, running security software appropriate for your device (I use Microsoft Defender on my PCs), using strong and unique passwords (get a password manager!) and enabling 2FA wherever possible.”

Now, that’s advice worth following.

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.