Credential Stuffing Attacks Possible now due to Massive Data Breach
Who: People’s Email Addresses and Passwords used to log in to third-party sites
No. of Accounts Breached: 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites
What was affected: 773 million unique email addresses and 21 million unique passwords that were used to log in to third-party sites
How it happened: According to Have I Been Pwned founder Troy Hunt in a post published Wednesday, the monster list is a compilation of many smaller records taken from past breaches and has been in wide circulation over the past week. It was also posted to the MEGA file sharing site. At least one of the included breaches dated back to 2015. Dubbed “Collection #1,” the aggregated data was likely scraped together to serve as a master list that hackers could use in credential stuffing attacks. These attacks use automated scripts to inject credentials from one breached website into a different site in hopes the holders reused the same passwords.