An estimated 1,300,000,000 passwords and 2,000,000,000 email addresses have been leaked online in a historic breach.
Have I Been Pwned, which notifies internet users if their information has been breached, said cybercriminals are behind the massive leak.
HIBP CEO Troy Hunt has warned that anyone in the leak should change their passwords immediately as a precaution.
He added: ‘This corpus is nearly three times the size of the previous largest breach we have ever loaded.’
625,000,000 of the passwords were some never before detected during a breach, he said.
‘I hate hyperbolic news headlines about data breaches, but for the ‘2 Billion Email Addresses’ headline to be hyperbolic, it’d need to be exaggerated or overstated – and it isn’t,’ he added.
Those affected are able to see if their passwords and emails are included by using HIBP’s free service.
It comes less than a month after an additional 183,000,000 account details were breached by cybercriminals.
The massive trove of data was originally leaked from computers infected with a type of malware called infostealers, which logs the email address and password used when a user logs into a website.
Chunks of this data – known as ‘stealer logs’ – were leaked online, ending up on easily-accessible platforms such as Telegram, social media sites and web forums.
How to see if your information was leaked
You can check whether the details for any accounts you might have were shared in the data breaches collated by Have I Been Pwned.
To do so, navigate to their website and enter your email address.
This will not only show whether the email account itself was compromised but also any website or app accounts created using that email address.
The compromised details can include email addresses, passwords and other details such as your name and locations linked to the account.
To check whether any breaches linked to your account showed up in stealer logs specifically, you can create a Have I Been Pwned account here, after which you’ll be directed to a dashboard.
On this dashboard, navigate to ‘Stealer Logs’ and any instances where your email addresses were recorded in a stealer log will be displayed.
You can also see if a given password has appeared in a data breach using Pwned Passwords, although details about the leaks are not shown.
Stealer logs are shared by a huge and complex ecosystem of hackers who are not working together and often copy older logs, meaning significant new breaches are very difficult to expose.
A US college student working with cybersecurity firm Synthient created a system to trawl vast amounts of data from this ecosystem, dating back to April, no less than 23 billion rows of it.
At peak times as many as 600 million stolen credentials were shared in a single day, the system found.
If it says passwords were also leaked in that breach, and you have not changed your password since the breach occurred, then you should change your password as soon as possible.
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.