A massive database containing nearly 773 million unique email addresses and 21 million plain text passwords has been found online in what is shaping up to be possibly one of the largest data breaches of all time.

Discovered by Have I Been Pwned founder Troy Hunt, the database, dubbed “Collection #1,” was found to be available for download on the MEGA file hosting service.

The data is believed to be a combination of stolen data from individual data breaches from thousands of different sources. The database contains a total of 1,160,253,228 unique combinations of email addresses and passwords, 772,904,991 unique email addresses and 21,222,975 unique passwords.

About 663 million of the addresses had been previously indexed by Have I Been Pwned, indicating much of the data had been recycled. However, 140 million of the addresses are apparently new, indicating they were obtained in more recent hacks that haven’t been indexed or made publicly available before.

Underscoring just how big the database is, Ruchika Mishra, director of products and solutions, Balbix Inc., called the trove “monumental.”

“Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down,” Mishra told SiliconANGLE. “This information could be used for credential stuffing attacks which can harm businesses and individual users alike.”

Felix Rosbach, a product manager at comforte AG, said the size of the database means multiple breaches must have occurred. But he wonders if the organizations or affected users even know that a breach took place.

“As a private individual, sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security,” Rosbach said. “The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised.”

Businesses also might not be aware of the breach. “In the end, the most important thing to do is to protect your customers’ data,” he said “With modern solutions such as FPE or tokenization you can render personally identifiable information useless to hackers.”

Jacob Serpa, product marketing manager at Bitglass Inc., said the whole affair reveals the failure of organizations to secure their data.

“Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords,” he said. “Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are.”

Terence Jackson, chief information security officer at Thycotic Software Ltd., thinks the breach exposes a need for more consumer education.

“Many people still use the same passwords across sites for personal and business purposes because it’s convenient until something like this happens and it’s back in the headlines,” Jackson said. “Using unique passwords on each site isn’t a magic bullet, but the goal here is to limit the damage that could be done in a credential stuffing or brute force type attack. As a CISO, this type of attack would concern me because employees often use their corporate emails to sign up for services and often use the same passwords.”

Image: Troy Hunt