Collection #1 is a collection of email addresses and passwords from many smaller data breaches and was posted to a popular hacking forum in January of 2019. In total, the file included 2.7 billion records and 773 million unique records.
More info on the largest data breach.
Verifications.io offers email address validation services to businesses and it suffered a data breach in Feb 2019. Originally discovered by Bob Diachenko and Vinny Troia, this data breach was a result of data being stored in a publicly facing database without passwords and exposed 763 million unique email addresses. Additional personal information included in this breach were names, phone numbers, IP addresses, birth dates and genders.
Security researcher Benkow moʞuƎq identified a spambot by the name of Onliner in Aug 2017. This malicious spambot software included a server component with an IP address based out of the Netherlands which exposed a significant volume of personally identifiable information, 711 million records in total. More information on this data breach can be found in this article.
This data breach included 593 million unique email addresses and password pairs was discovered in late 2016 and was referred to as Exploit.in. This list combined email addresses and passwords from various online systems, was broadly circulated and used for “credential stuffing” which is a tactic employed by hackers to identify other online systems where the account owner had reused their password.
Over 500 million Facebook users had their data exposed in one of the largest data breaches on record and was a result of a vulnerability in the Facebook application. This vulnerability was apparently fixed in August 2019 but the data was leaked in April of 2021.
This data breach accounted for over 20% of Facebook users at the time and the primary value of the data is the association of pone numbers with identities since each record included a phone number.
The “Anti Public” data breach targets users who reused their passwords and is used by hackers in a tactic called credential stuffing.
The Anti Public list was discovered in December 2016 and included a massive list of 458 million email addresses and passwords.
River City Media, allegedly one of the most prolific spamming operations forgot to safeguard one of its database backups and exposed almost 1.4 billion records. The records included IP addresses, real names, physical addresses that fueled the spamming operation. Once de-duped the file contained 393 million records.
The databases that were involved in this leak were available publicly for almost 3 months but were then taken offline.
MySpace suffered a data breach of 359 million accounts sometime in 2008. The data from this breach was offered for sale on the dark web in 2016 and included usernames, email addresses and the SHA1 hashes of the first 10 characters of the password.
Troy Hunt from HIBP analyzed the data and suggests the exact date of the data breach was 8 years earlier.
This data breach exposed personal data such as names, user names, email addresses, genders, birth dates and passwords stored as bcrypt hashes.
Wattpad users data was exposed in Jun 2020 and was initially sold and then published to a hacking forum where it was broadly shared.
The largest data breach that we know of is referred to as Collection #1 which included 772 million email addresses and passwords. Collection #1 consolidates many individual data breaches into a single collection.