11 May 2017

1 billion username and password credentials released

Over the past few days, a significant number of username/email address and password combinations have been released publicly, in lists known as Anti-Public and Exploit.in. In total, over 1 billion sets of details have been released.

  • The Anti-public list has been in use since December 2016. It contains 458 million unique email addresses, many alongside multiple different passwords. This suggests they were stolen from multiple sites and online spaces.
  • The Exploit.in list appears to have been in use since late 2016, although the information has only recently been published in accessible forums. This list contains 593 million unique email addresses.

At this time, the sources these credentials were stolen from is unknown. However, security specialist Troy Hunt has said that there are only 222 million instances of crossover between the two lists, which suggests that they’ve likely originated from different places. This also means that there’s a variation in the age of the credentials — some are years old, while some are more current.

It’s highly likely that these email addresses and passwords will be used for 'credential stuffing' attempts. Attackers will try the email and password combinations on different websites to see where passwords may have been reused, in order to gain access to a wide range of personal and financial information.

As a proactive measure, organisations like Spotify and DigitalOcean are encouraging all users to change their passwords urgently.

What to do

Mitigation

These releases have been extensively detailed by Troy Hunt, who runs the Have I been pwned? website. While CERT NZ has no affiliation with this website, and has not verified the data contained there, it does appear to be the central repository of all data breached in these releases. You can visit the site to see if your email address is included in the list of released details.

Check your email address on Have I been pwned?

If any of your email addresses have been compromised, CERT NZ recommends changing your password immediately — not just for the accounts listed in the compromise, but any others that you use the same login details for.

More information

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

Further information on the Anti Public and Exploit.in releases