Collection 1 Data Breach Exposes More Than 772 Million Email Addresses

A collection of almost 773 million unique email addresses and just under 22 million unique passwords were exposed on cloud service MEGA. Security researcher Troy Hunt said the collection of data, dubbed Collection #1, totaled over 12,000 separate files and more than 87GB of data. ZDNet reports: "What I can say is that my own personal data is in there and it's accurate; right email address and a password I used many years ago," Hunt wrote. "In short, if you're in this breach, one or more passwords you've previously used are floating around for others to see." Some passwords, including his own, have been "dehashed", that is converted back to plain text. Hunt said he gained the information after multiple people reached out to him with concerns over the data on MEGA, with the Collection #1 dump also being discussed on a hacking forum. "The post on the forum referenced 'a collection of 2000+ dehashed databases and Combos stored by topic' and provided a directory listing of 2,890 of the files," Hunt wrote. The collection has since been removed. You can visit Hunt's Have I Been Pwned service to see if you are affected by this breach.

They have a great API

[piojo]

I love their API. You can do a search without submitting any sensitive information. Not even a full sha1sum. You send a partial sha1sum, and they send back possible matches. Locally, you see if any are exact matches.

Here is a bash/zsh function which looks up a password (obviously without printing it to console or sending it anywhere):

function haveibeenpwned() {
echo "Enter password to check:"
stty -echo
read line
stty echo
echo
local sha1="$(echo -n "$line" | sha1sum - | cut -f1 -d' ')"
echo sha1 is "$sha1"
local prefix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\1/')"
local suffix="$(echo "$sha1" | sed 's/\(.....\)\(.*\)/\2/')"
echo "Searching for prefix: $prefix and suffix: $suffix"
echo
curl "https://api.pwnedpasswords.com/range/$prefix" 2>/dev/null | grep -i "$suffix"
}

I'm probably in there

[steveha]

Starting a couple of months ago, I've received a huge number of extortion emails. At this point it's extortion spam.

All the emails follow the same pattern, and all including somewhere (usually in the To: line, for some reason) an old "burner" password I used on web sites where I don't care if the password leaks.
  Here's a rough paraphrase:

Hi, I'm an elite international hacker, and I've hacked your email. You can tell I'm for real because I used your own email account to send this to you.

Go ahead and change your password, but it's too late to protect you from me. I installed a secret program on your computer and it has been logging everything you do, including collecting images from your computer's webcam. I have collected a list of all the porn sites you visit and made a video showing what you were doing while you visited them. You have interesting tastes in porn, don't you!

When you opened this email a timer was automatically started, and you have 48 hours to pay me money or else my automatic program will send all the dirt I have on you to all your friends I harvested from your email address book.

You can use $CRYPTOCURRENCY to send me the money. Send $AMOUNT to $ID_NUMBER. [$AMOUT is usually $700 or $800 or so.] If you don't know how to use cryptocurrency, just Google it, it's easy.

Be more careful in the future so this doesn't happen again to you.

I have received dozens of copies of this email, with the text slightly different. Some of them end with "Don't hate me, everyone needs to do their own job." Some of them call the mysterious malware "RAT software". A couple of times the email was translated into Japanese. (I can read just a little bit of Japanese and was able to recognize it, and I showed it to a fluent friend who confirmed that it fit the above pattern.)

<sarcasm>I must say, my computer is running pretty well considering how many elite international hackers have been messing with it and installing RAT software and such.</sarcasm>

As it happens, I got one copy of the email at least a week before the deluge started. I realized it would have been very scary for someone who uses the same password everywhere and doesn't know how easy it is to forge the "From:" header. Doubly scary if that person actually visits porn sites.