ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Largest cache of hacked email credentials ever discovered online

The biggest collection of hacked emails ever discovered has been leaked online. The enormous cache of email address credentials was found by a security researcher on a hacking forum. 

It is believed that the enormous treasure trove of hacked email credentials was uploaded to the forum in mid-December. It consists of more than 770 million email addresses and passwords.

The massive collection of passwords was discovered by Troy Hunt who runs the Have I Been Pwned breach notification website. According to Hunt the cache of passwords is most likely the result of various different , rather than the spoils of a single hack.

On his website, Hunt explains that “in total, there are 1,160,253,228 unique combinations of email addresses and passwords” and “21,222,975 unique passwords”.

According to Hunt, the vast majority of the hacked email credentials have appeared online before, he concludes that the majority came from hacks such as the 360 million MySpace accounts hacked back in 2008 or the 164 million LinkedIn accounts hacked in 2016.

have I been pwned website

Many new passwords

That said, the security researcher was able to ascertain that at least 140 million email addresses from this leak had never been featured in his Have I Been Pwned (HIBP) database. 

Consumers are being advised not only to check to see whether they have been affected by this (or a previous) breach by entering their email into but also to go ahead and update their email passwords to be on the safe side. 

More importantly, anybody who has not set up dual factor authentication on their email account is strongly advised to do so, this will stop hackers from getting in using a password alone. 

Password managers and unique passwords

As is always the case when this kind of breach is made public, it is a serious reminder of the need for consumers to use complex and unique passwords. Often when hacks occur, cybercriminals will use credentials in order to attempt to penetrate secondary online services such as social media accounts on Twitter and Facebook. 

Consumers who use the same password and email address to access various accounts, always leave themselves open to the possibility of cross-service penetrations. It is for this reason that it is so vital for consumers to use a variety of unique passwords across their accounts. What’s more, due to sophisticated brute force techniques, it is essential for passwords nowadays to be difficult. 

A long chain of random characters, numbers, and symbols is always best. a truly strong password will be too difficult for most people to remember, for this reason, consumers are advised to make use of a reliable password manager like KeePass. 


Password managers let people protect all their accounts with strong unique passwords while allowing them to remember just one password for the password manager itself. 

The best password managers (KeePass or BitWarden) use end-to-end encryption to protect users’ passwords. This is a highly secure method of ensuring all accounts have a unique strong password because only the user holds the keys. (this does mean that, is forgotten, there is no way of recovering the passwords from the password manager itself.) 

Other password managers such as FastPass encrypt the passwords on their servers themselves and hold a copy of the key. This allows for account recovery - but is nowhere near as secure.  

This applies to you!

Finally, for anybody who thinks they haven’t been penetrated - it is worth noting that cybersecurity experts such as

Jake Moore at ESET UK “it is quite a feat not to have had an email address or other personal information breached over the last decade.” 

Remember, even high profile tech personalities such as Facebook’s Mark Zuckerberg have account breaches so just assuming it hasn’t happened to you is not a good way of thinking. 

Update your passwords regularly and ensure they are long and complex with a combination of standard letters, capitals numbers or ensure that they are unique and robust by using a password manager

news about data breaches like this has got you thinking about taking precautions with your own digital privacy, check out our best VPN services page for more information.

Image credits:GoodStudio/

Written by: Ray Walsh

Digital privacy expert with 5 years experience testing and reviewing VPNs. He's been quoted in The Express, The Times, The Washington Post, The Register, CNET & many more. 


There are no comments yet.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service