Threat Actor Behind Collection #1 Data Breach Identified

Posted: 1st February 2019
Threat Actor Behind Collection #1 Data Breach Identified

Executive Summary

On January 17, 2019, security professional Troy Hunt disclosed “Collection #1,” a data breach collection of 1,160,253,228 unique combinations of email addresses and corresponding passwords. A total of 772,904,991 unique email addresses and 21,222,975 unique passwords were discovered. Then, on January 31, PCWorld reported that researchers at the Hasso Plattner Institute discovered an additional 611 million credentials they attributed to the Collection #1 data breach.

Recorded Future analyzed the complete dump on January 19, 2019 and confirmed that many of the account credentials contained in Collection #1 are from a wide variety of previous data breaches, some of which are two to three years old, and may not contain newly compromised accounts.

Multiple threat actors claimed to be the source of the data and were distributing these databases throughout the dark web, including the threat actor “Clorox.” However, Recorded Future assesses with moderate confidence that the original creator and seller of Collection #1 was the actor “C0rpz.” Another actor from a well-known Russian hacking forum was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same datasets found in Collection #1.

Threat Analysis

Insikt Group discovered a forum post created on January 17, 2019 by Clorox, who posted seven URLs to separate databases hosted on the file sharing service MEGA. In total, the seven databases listed below contained 993.53 GB of data containing three different variations of user credentials: email addresses and passwords, usernames and passwords, and cell phone numbers and passwords.

  • “ANTIPUBLIC #1” (102.04 GB)
  • “AP MYR & ZABUGOR #2” (19.49 GB)
  • “Collection #1” (87.18 GB)
  • “Collection #2” (528.50 GB)
  • “Collection #3” (37.18 GB)
  • “Collection #4” (178.58 GB)
  • “Collection #5” (40.56 GB)

In the forum post, Clorox linked to the Troy Hunt article “The 773 Million Record ‘Collection #1’ Data Breach,” claiming that the database Troy Hunt has is incomplete and is only a fraction of the original dump known on the dark web as Collection #1. Furthermore, Clorox stated that the original data dump was being sold on a different forum by another party, who then took down the original files that were hosted on different URLs on MEGA. Troy Hunt, according to Clorox, was able to download one of these databases that the individual forgot to remove, though the individual did remove it shortly after.

Further analysis showed another individual using the moniker C0rpz, who claimed to be the original creator and seller of Collection #1 as early as January 7, 2019. C0rpz also stated that another forum member, “Sanix,” purchased Collection #1 from them and then attempted to resell it to other forum members. Sanix was the individual identified by Brian Krebs in his article “773M Password ‘Megabreach’ is Years Old,” and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz. Sanix has since been banned from the forum, and C0rpz has posted links to MEGA sharing Collection #1 free of charge to the community.

Recorded Future discovered yet another possible source of Collection #1. On January 10, 2019, an actor on a well-known Russian-speaking hacker forum posted both a magnet link and a direct download link to a database containing 100 billion user accounts hosted on a personal website. The following week, the actor made clear that the data dump referenced in Troy Hunt’s article was included in their dump as well.


Recorded Future assesses with high confidence that the database Collection #1 and its variations will continue to be shared among dark web communities and incorporated in credential-stuffing attacks from various threat actors. However, many of the account credentials contained in Collection #1 are from a wide variety of previous data breaches, some of which are two to three years old. It is highly likely that many of the affected individuals already have been required to change their passwords which would otherwise have been compromised by this leak.

Individuals should be prepared for phishing attacks that could target exposed email addresses or cell phone numbers. Current customers can contact their Recorded Future Intelligence Services consultants if they are interested in learning more.