Troy Hunt, the man behind the "Have I been pwned?" service designed to help you find out if your account is part of a recent data breach, reported that almost 42 million credential records have been found by kayo.moe in their database.
Although this story starts like all data breach stories start, this one is very different. Instead of a website being breached and leaking millions of records, this time the website admins are the heroes seeing that kayo.moe's admins were the ones who let Hunt know something fishy was going on.
More precisely, Hunt was contacted by the guys behind the public anonymous hosting service who let him know that they found a huge 1.8 GB collection of 755 files recently uploaded on their servers.
According to Troy Hunt's report, most of those files contained lists of record in the form of username:password, known to be used as the starting point for credential stuffing attacks, where pairs of username and passwords are automatically injected within login forms to illegally gain access to e-mail accounts.
Although it doesn't sound so ominous, credential stuffing is one of the most common methods used by online criminals to take over accounts, and probably one of the simplest given the ubiquity of data breaches during the last few years.
More than 4 million records were never seen username:password pairs
As Hunt points out, more than a billion accounts have been added to haveibeenpwned.com's database during a single month of 2017, making credential stuffing one of the most important and pervasive attack vectors for breaking into e-mail accounts.
After analyzing the file collection, the security researcher discovered that they contained almost 42 million unique records, with around 93% of them already included in haveibeenpwned.com database as he found out after cross-checking the data sets.
Although the total number of e-mail usernames and password pairs discovered is quite astonishing, the more than 4 million records that weren't found in haveibeenpwned.com's database are also quite worrying.
If those records are collected and not randomly generated, they might point to other data breaches yet to be discovered.
If you want to make sure that you won't be affected by any future breach incidents, make sure that you never reuse your passwords and pick up a passwords manager to help generate and securely store your credentials.