The Largest Credential Dump in History
In January 2019, security researcher Troy Hunt discovered a massive data dump on the cloud storage service MEGA. Labeled "Collection #1," it contained 87 gigabytes of data comprising 773 million unique email addresses and more than 21 million unique passwords.
But Collection #1 wasn't a single breach. It was a compilation — an aggregated dataset assembled from thousands of separate data breaches, some dating back years. It was designed for one purpose: credential stuffing at industrial scale.
What Is Credential Stuffing?
Credential stuffing is an automated attack where stolen username/password combinations from one breach are tested against other services. Because people reuse passwords across sites, a significant percentage of these combinations will work.
Collection #1 represented the industrialization of this attack. With 773 million email/password pairs, attackers could automate login attempts against virtually any online service and expect a meaningful success rate.
The Collection Series
Collection #1 was just the beginning. Shortly after its discovery, Collections #2 through #5 were also found circulating on hacking forums:
- Collection #1: 773 million emails, 21 million passwords
- Collections #2-5: An additional 2.2 billion unique email/password pairs
- Total across all collections: approximately 3.5 billion credentials
These collections represented the accumulated output of years of data breaches, all packaged for easy use by anyone willing to run credential stuffing tools.
Who Created It?
The collections were compiled by unknown aggregators who gathered breach data from underground forums, paste sites, and private trading channels. The data came from dozens of known breaches (LinkedIn, Dropbox, Adobe, and many others) alongside numerous smaller, less publicized incidents.
The compiler didn't necessarily carry out the original breaches — they simply collected, deduplicated, and repackaged existing stolen data into a convenient format.
The Scale Problem
The sheer volume of Collection #1 illustrates a fundamental problem in cybersecurity: the cumulative effect of data breaches. Every individual breach adds more credentials to the pool. Over time, these pools become comprehensive enough that attackers can reasonably expect to find working credentials for almost any service.
Even if a specific service has never been breached, its users may be vulnerable because they reused a password from a service that was.
How to Protect Yourself
- Use a unique password for every account. This is the only reliable defense against credential stuffing. A password manager makes this practical.
- Enable two-factor authentication wherever available. Even if your password is compromised, 2FA provides an additional barrier.
- Check if you're in a breach database. Services like LeakedSource let you search for your email to see which breaches include your credentials.
- Change passwords that appear in breaches immediately. If a password you still use shows up in breach data, assume it's compromised.
The era of massive credential compilations means that password reuse is riskier than ever. Search your email on LeakedSource and take action on any exposed accounts today.