

Massive 'Collection #1' Data Dump: What's In It and How Did it Happen?

Ariel Ainhoren
January 22nd, 2019
Subscribe to our blog and stay up to date
A new, massive leaked database (named “Collection #1”) made headlines last week after Troy Hunt published that he uploaded the database to his HaveibeenPwned website. This database has caused a lot of questions across the industry, so we wanted to provide an update on what we’ve found and how IntSights customers will know if they are impacted.
Timeline & Background
Troy Hunt got his database from a site named Raidforums. The user that published the data in raid forums just happened to stumble across it in Mega.nz, a known cloud file storage and sharing platform (Figure 1). The original post is dated January 7, 2019. But that user wasn’t the source of the collection, they just passed along a mega.nz link which was originally published by a user named Sanix.

Figure 1: Raidforums Post
We know that because two hours before the post in Raidforums, another post was published in a separate forum named Nulled.to. This post, by a user named Azatej, was the post the drove this collection into public knowledge (Figure 2). Azatej complained about Sanix and the fact that they shared the collection to mega.nz and advised people to steer clear from them. The reason for Azatej’s complaint was because Sanix has exposed combo lists from Azatej’s combo selling platform in that mega.nz link. Azatej decided to release the entire collection to the forum as well.
Azatej also claimed that most of the data inside the collection is from 2017 or older, and it’s not actionable for committing targeted attacks, as a great percentage of it is old and outdated.

Figure 2: Nulled.to Post
The user Sanix is most likely of Russian origin, as evidenced by their interface language on the screenshot of the database they sent as proof (Figure 3). From the dates in the files, it seems as this collection was assembled around November 2018 and that Sanix had started selling it around the start of December.

Figure 3: User Sanix's DB for Sale
There is a great deal of hype around this combo collection due to the sheer size of it, however, combo lists are nothing new. As with any chain mail or other internet phenomenon, combo lists are usually circulated over the course of many years and contain old, recycled data that’s already been exposed.
With that said, you can never be too cautious, so it's important to monitor for and analyze new data dumps, especially ones of this size.
IntSights Processing 'Collection #1'
IntSights obtained the Collection #1 database last week and we are continuing to process and analyze the data. Customers have been receiving alerts if any of their data or credentials are contained within the database. We will continue to track any further developments and will keep you updated as we keep analyzing the collection.
Subscribe to the IntSights blog to stay up to date on the latest news and best practices!

Ariel Ainhoren
Ariel Ainhoren is the Head of Research at IntSights, focused on discovering new cyber trends, threats, hacker strategies and vulnerabilities. He is a seasoned security professional with over 9 years of experience in the cyber industry, including expertise in computer forensics, malicious programs, cyber intelligence gathering and investigations. Ariel enjoys riding motorcycles and solving cyber puzzles, preferably byte by byte.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.