Massive 'Collection #1' Data Dump: What's In It and How Did it Happen?

A new, massive leaked database (named “Collection #1”) made headlines last week after Troy Hunt published that he uploaded the database to his HaveibeenPwned website. This database has caused a lot of questions across the industry, so we wanted to provide an update on what we’ve found and how IntSights customers will know if they are impacted.

Timeline & Background

Troy Hunt got his database from a site named Raidforums. The user that published the data in raid forums just happened to stumble across it in Mega.nz, a known cloud file storage and sharing platform (Figure 1). The original post is dated January 7, 2019. But that user wasn’t the source of the collection, they just passed along a mega.nz link which was originally published by a user named Sanix.

Figure 1: Raidforums Post

We know that because two hours before the post in Raidforums, another post was published in a separate forum named Nulled.to. This post, by a user named Azatej, was the post the drove this collection into public knowledge (Figure 2). Azatej complained about Sanix and the fact that they shared the collection to mega.nz and advised people to steer clear from them. The reason for Azatej’s complaint was because Sanix has exposed combo lists from Azatej’s combo selling platform in that mega.nz link. Azatej decided to release the entire collection to the forum as well.

Azatej also claimed that most of the data inside the collection is from 2017 or older, and it’s not actionable for committing targeted attacks, as a great percentage of it is old and outdated.

Figure 2: Nulled.to Post

The user Sanix is most likely of Russian origin, as evidenced by their interface language on the screenshot of the database they sent as proof (Figure 3). From the dates in the files, it seems as this collection was assembled around November 2018 and that Sanix had started selling it around the start of December.

Figure 3: User Sanix's DB for Sale

There is a great deal of hype around this combo collection due to the sheer size of it, however, combo lists are nothing new. As with any chain mail or other internet phenomenon, combo lists are usually circulated over the course of many years and contain old, recycled data that’s already been exposed.

With that said, you can never be too cautious, so it's important to monitor for and analyze new data dumps, especially ones of this size.

IntSights Processing 'Collection #1'

IntSights obtained the Collection #1 database last week and we are continuing to process and analyze the data. Customers have been receiving alerts if any of their data or credentials are contained within the database. We will continue to track any further developments and will keep you updated as we keep analyzing the collection.

Subscribe to the IntSights blog to stay up to date on the latest news and best practices!