A collection of 2,844 files containing passwords connected to 80 million email addresses has been discovered online, security researcher Troy Hunt reported.
Hunt operates Have I Been Pwned?, which alerts subscribers when their email address is in a data breach.
The latest cache of data was discovered on a hacking forum, where a poster linked to a 8.8GB zip file.
It contained almost 3,000 files of usernames, email addresses, and plain text passwords.
The files appeared to be named after the service the credentials contained in them were taken from.
Hunt noted that amongst the data was a set of email addresses and plain text passwords that appeared to be from Dropbox.
Information that Dropbox had been breached surfaced in 2016, with the company confirming the hack.
Using the data from the Dropbox breach, Hunt tried to correlate passwords in the 8.8GB cache. While several matched, most did not.
Hunt drew several conclusions from this:
- Dropbox allowed weak passwords at one point.
- All the passwords in the new cache were not ones cracked in the original breach.
- Someone has joined email addresses from one source with passwords from another.
While Hunt usually informs people of which breach their email address was discovered in, in this case it is not possible as there is no direct association between the accounts in Have I Been Pwned? and the source file.
He did list the names of the source files in the hope that people will recognise a service they’ve used in the past.
“I have no idea how many of these are legitimate, how many are partially correct, and how many are outright fabricated,” said Hunt.
“I’ve consequently flagged this breach in as unverified.”
He added that there are passwords which have been used by the email addresses they were associated with previously, however.
Websites listed in the reported data breach include Plex (plex.tv), Lord of the Rings Online (lotro.com), and MalwareBytes.org.
The South African sites listed were: