Huge Data Breach Leads to 773 Million Email Addresses Being Leaked

We have had so many data breaches from a variety of different services and companies, but this one has to be the largest since 2013. A huge data breach has resulted in 773 million email addresses and 21 million unique passwords being leaked. It’s being referred to as “Collection #1.”

The Data Breach

Security researcher Troy Hunt reports that multiple people got in contact with him last week to show him “a constellation of 12,000 files with a total size of 87GB and nearly 2l7 billion records hosted on MEGA.”

The files have been removed from the hosting platform, but they are still on a popular hacking forum that was not named. The forum post described the source of data as “a collection of 2000+ dehashed databases and Combos (combinations of email addresses and passwords) stored by topic.”

The last known data leak of this capacity was Yahoo’s 2013 leak that hit nearly three billion accounts. The good news of both leaks is that there are no credit card details or other sensitive information in the leaked data. It’s just emails and passwords, but, of course, with that data, someone can hack you individually and access whatever you have stored in your email data.

Were You Hit?

Thankfully, Hunt has made it easy to check if your information was among the leaked data in Collection #1. He has integrated the database into his website, Have I Been Pwned, which is a larger database allowing you to search emails addresses for past leaks.



Just visit Hunt’s site and enter your email address at the prompt. You will get one of the above messages showing whether your email was hacked. If your email is connected to a data leak, it will show you below when and where you were subject to a breach.

The site also contains a password search to check if any of the data breaches contained a password that you use.

I have not checked passwords yet, but I did check all my emails. Two were not affected. One was a few times, but they are older breaches, and I have reset my password since on multiple occasions. The other was affected multiple times, including in Collection #1, so I need to change my password. Luckily, though, it is an email that I mostly just receive junk mail on.


This is definitely a scary prospect, that there was such a large number of emails that were subject to the data breach, that there’s a likelihood that you were included.

It’s imperative that you go to the above-mentioned site and check to see if you were affected. If you were affected, let us know below the steps you took to protect yourself in the future.

Laura Tucker Laura Tucker

Laura has spent nearly 20 years writing news, reviews, and op-eds, with more than 10 of those years as an editor as well. She has exclusively used Apple products for the past three decades. In addition to writing and editing at MTE, she also runs the site's sponsored review program.


  1. “One was a few times, but they are older breaches, and I have reset my password since on multiple occasions.”
    It seems like HIBP is like a roach motel, emails get in but they don’t get out. Once an email is listed on HIBP, it stays there forever, whether it is still vulnerable or whether it has been secured. This will generate false positives and angst and maybe even panic in affected users.

    Yesterday I checked our family’s email addresses. I got a shock. Three out of four accounts were listed as pwned. Only after scrolling to the bottom of the page did I find out that two accounts were compromised in 2013 breaches. Since then the passwords on those accounts were changed couple of times. Why were they still listed in the HIBP database? Doesn’t Troy Hunt maintain the database besides adding new records to it?

    1. With over million records in its database, there is no way Troy Hunt can check if one has change their passwords or not. And its purpose is to let you know if your email was leaked in a breach, not to police you into changing your password.

      1. Understood.
        However, the utility and the accuracy of the information comes into question. HIBP is providing a valuable service. Unfortunately, it turns into a “boy who cried wolf” scenario. When user keep checking their emails and those emails keep being reported as pwned, even after the passwords are changed repeatedly, after a while users will start ignoring HIBP and/or quit checking altogether.

        “And its purpose is ,,,,,,,,,,,,,,,,, not to police you into changing your password.”
        Just to scare you into changing your password. :-)

Comments are closed.