“Monster” Data Breach Puts Millions at Risk to Credential-Stuffing Hacks
The Guardian reported that, in December 2018, the largest collection of online data breaches in history was discovered, including some 770 million email addresses and passwords. This 87GB database was discovered by Troy Hunt, who runs a breach notification service and believes that the compromised information was sourced from thousands of different individual data breaches. Hunt told the Guardian that some of these email and password combinations had been leaked in the past; however, the hackers involved in this scheme leaked 140 million new email and password combinations in December 2018.
As Wired reported, the breached email addresses and passwords were not posted “in some dark web backwater, but on one of the most popular cloud storage sites”—until the collection was taken down. The collection then reappeared, Hunt said, on a public hacking site. According to Wired, the accumulated list appeared to have been intended for use in “credential-stuffing attacks,” where hackers use automated processes to attempt to access other sites or services using the breached email and password combinations. Such hacks work on people who reuse passwords across the Internet. The Wired report also noted that the breached passwords had been posted in plaintext, rather than encrypted, so hackers with little technical prowess could make use of them.
This incident contrasts with the extensive media coverage of the Cambridge Analytica data breach in early 2018. By comparison, as of March 2019, no US establishment news outlet appears to have covered the data breach identified by Hunt and reported in the Guardian.
Alex Hern, “Largest Collection Ever of Breached Data Found,” The Guardian, January 17, 2019,
Brian Barrett, “Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach,” Wired, January 16, 2019, https://www.wired.com/story/collection-one-breach-email-accounts-passwords/.
Student Researchers: Pia Belmonte, Liana Gudin, and Kerrin Thomas (University of Massachusetts Amherst)
Faculty Evaluator: Allison Butler (University of Massachusetts Amherst)