Anatomy of a Breach

Anatomy of a Breach: Collection #1 — 773 Million Email Addresses and the Credential Dump That Dwarfed Everything Before It

> series: anatomy_of_a_breach —— part: 121 —— dataset: collection_1 —— emails: 773,000,000 —— passwords: 21,000,000<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2019 13 min read
collection-1 credential-dump 773-million password-reuse credential-stuffing troy-hunt series
Breach #121

773 million emails. 21 million passwords. Aggregated from thousands of breaches. Available to everyone.

In January 2019, Troy Hunt — the security researcher behind Have I Been Pwned — reported the discovery of Collection #1: a 87GB dataset containing 773 million unique email addresses and over 21 million unique plaintext passwords, compiled from thousands of separate data breaches spanning years. The dataset had been assembled by aggregating credentials from breaches old and new — LinkedIn, Adobe, Myspace, and hundreds of smaller breaches — into a single, searchable, weaponisable collection.

Within weeks, Collections #2 through #5 were discovered, bringing the total to approximately 2.2 billion unique username-password pairs. The scale was staggering: 2.2 billion credentials represents a significant fraction of the world's internet-connected population. For credential-stuffing attackers, the Collection datasets provided an industrial-scale ammunition supply — making password-only authentication fundamentally untenable for any service connected to the internet.

The End of Password-Only Authentication
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

2.2 billion credentials. Password-only authentication is over.

Aggregated From Thousands of Breaches
Collection #1 was not a single breach — it was the aggregation of credentials from thousands of breaches, compiled into a single dataset for credential-stuffing convenience. This demonstrates that breach data is cumulative: every breach documented in this series contributes to the growing pool of compromised credentials. <a href="https://www.socinabox.co.uk/blog/what-is-the-dark-web-business-guide">Dark web monitoring</a> through <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects when your credentials appear in these aggregated datasets.
MFA Is Now Non-Negotiable
With 2.2 billion credentials available, the probability that any given user's password has been compromised at least once approaches certainty. MFA is the only control that remains effective when passwords are compromised at this scale. <a href="/cyber-essentials">Cyber Essentials Danzell</a> makes MFA an auto-fail criterion because the evidence from a decade of this series — culminating in Collection #1 — is irrefutable.
Credential Stuffing at Scale
The Collection datasets fuelled an explosion in credential-stuffing attacks throughout 2019 and beyond. Automated tools testing billions of credentials against every internet-facing login page became the dominant attack methodology. Our <a href="/penetration-testing/web-application">application testing</a> includes credential-stuffing simulation and rate-limiting assessment.
Passkeys and FIDO2 — The Future
Collection #1 accelerated the industry's move toward passwordless authentication — FIDO2/WebAuthn and passkeys that eliminate passwords entirely. <a href="/cyber-essentials">Cyber Essentials Danzell</a> now accepts passkeys and FIDO2 as MFA methods, reflecting the industry's direction.
Lessons

Every breach in this series contributed to Collection #1.

Collection #1 is the aggregated consequence of every credential breach documented throughout this series — from LinkedIn (117M) through Adobe (153M) to Yahoo (3B). Each breach added credentials to the pool; Collection #1 made the pool searchable. The lesson is stark: any password that has ever been used on any service that has ever been breached is now effectively public knowledge. Password-only authentication is over.

Cyber Essentials mandates MFA. Dark web monitoring through SOC in a Box detects credential exposure. Our application testing validates authentication controls and credential-stuffing defences. And UK Cyber Defence provides incident response when credential compromise leads to account takeover.

The End of Passwords

2.2 billion credentials are public. MFA is the only answer. Is yours deployed universally?

<a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors dark web credential databases. Our <a href="/penetration-testing">penetration testing</a> validates authentication controls.

Commission a Security Assessment Next: 620M Accounts Dump
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 July 2016

Anatomy of a Breach: The Credential Stuffing Epidemic — When Mega-Breach Data Was Weaponised at Scale

Breach #091. In the summer of 2016, the mega-breach credential datasets that surfaced in May were weaponised at industrial scale. TeamViewer users reported unauthorised access to their computers; GoToMyPC forced password resets for all users; Carbonite, GitHub, and dozens of other services reported credential-stuffing attacks. The pattern was identical: attackers took email-password combinations from LinkedIn, Myspace, and Tumblr breaches and tried them against every other service, succeeding wherever users had reused passwords.

credential-stuffing teamviewer
12 min read
Anatomy of a Breach 30 November 2025

Anatomy of a Breach: 16 Billion Credentials Leaked — The Infostealer Aggregation That Dwarfed Collection #1

Breach #203. In mid-2025, researchers uncovered 30 exposed datasets containing more than 16 billion login credentials — including passwords for Google, Apple, Facebook, Telegram, GitHub, and government services. The datasets were not from a single breach but from a massive aggregation of credentials stolen by infostealer malware and compiled from earlier breaches. The compilation dwarfed Collection #1's 773 million credentials (2019) by a factor of twenty. While no single platform was breached, the aggregation itself was as dangerous as any individual breach — enabling industrial-scale credential stuffing and account takeover against every platform on the internet.

credential-leak 16-billion
13 min read
Anatomy of a Breach 31 October 2023

Anatomy of a Breach: 23andMe — When Credential Stuffing Exposed Genetic Data and Family Relationships

Breach #178. In October 2023, 23andMe — the consumer genetic testing company — disclosed that attackers had used credential-stuffing to access approximately 14,000 accounts directly, and then exploited 23andMe's 'DNA Relatives' feature to scrape the genetic ancestry data and family relationship information of approximately 6.9 million users connected to those accounts. The exposed data included ancestry reports, ethnicity estimates, birth years, geographic locations, family relationship connections, and genetic data. The breach raised fundamental questions about the security of genetic data — the most personal, permanent, and immutable data category that exists.

23andme genetic-data
14 min read
All Posts Get in Touch