Collection #1 (
unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7
billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post
The 773 Million Record "Collection #1" Data Breach.
Compromised data: Email addresses, Passwords
Exactis: In June 2018,
the marketing firm Exactis inadvertently publicly leaked 340 million records of personal data. Security researcher
Vinny Troia of Night Lion Security discovered the leak contained multiple terabytes of personal information spread across hundreds of separate fields including addresses, phone numbers, family structures and extensive profiling data. The data was collected as part of Exactis' service as a "compiler and aggregator of premium business & consumer data" which they then sell for profiling and marketing purposes. A small subset of the exposed fields were provided to Have I Been Pwned and contained 132 million unique email addresses.
Compromised data: Credit status information, Dates of birth, Education levels, Email addresses, Ethnicities, Family structure, Financial investments, Genders, Home ownership statuses, Income levels, IP addresses, Marital statuses, Names, Net worths, Occupations, Personal interests, Phone numbers, Physical addresses, Religions, Spoken languages
Exploit.In (
unverified): In late 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Exploit.In". The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read
Password reuse, credential stuffing and another billion records in Have I been pwned.
Compromised data: Email addresses, Passwords
Kayo.moe Credential Stuffing List (
unverified): In September 2018, a collection of almost 42 million email address and plain text password pairs was uploaded to the anonymous file sharing service
kayo.moe. The operator of the service contacted HIBP to report the data which, upon further investigation, turned out to be a large credential stuffing list. For more information, read about
The 42M Record kayo.moe Credential Stuffing Data.
Compromised data: Email addresses, Passwords
MySpace: In approximately 2008,
MySpace suffered a data breach that exposed almost 360 million accounts. In May 2016 the data was offered up for sale on the "Real Deal" dark market website and included email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt. The exact breach date is unknown, but
analysis of the data suggests it was 8 years before being made public.
Compromised data: Email addresses, Passwords, Usernames
River City Media Spam List (
spam list): In January 2017,
a massive trove of data from River City Media was found exposed online. The data was found to contain almost 1.4 billion records including email and IP addresses, names and physical addresses, all of which was used as part of an enormous spam operation. Once de-duplicated, there were 393 million unique email addresses within the exposed data.
Compromised data: Email addresses, IP addresses, Names, Physical addresses
