‘Collection #1’ Data Dump Hacker Identified

leaky data

Despite several threat actors stating they are behind a massive 773M credential dump, researchers believe they have found the real distributor.


Researchers say they have identified the threat actor behind the massive “Collection #1” data dump which exposed hundreds of millions of credentials on a hacking forum in January.

Recorded Future researchers said this weekend that an individual using the monikor “C0rpz” has claimed as early as Jan. 7 to be the original creator and seller of the Collection #1 data. The original database of breached emails – totaling 773 million unique email addresses –was discovered a popular underground hacking forum on Jan. 17.

Multiple threat actors came forth after the data dump claiming to be the main seller of the compromised credentials – including a threat actor called “Clorox” as well as a forum member, “Sanix,” who was reportedly re-selling the credentials. However, due to the timeline of these claims, researchers assess with “moderate confidence” that C0rpz is the true main distributor who assembled and sold the massive trove of data.

“Sanix was the individual identified by Brian Krebs… and our analysis confirmed that this is the same individual who attempted to sell the database originally created by C0rpz,” researchers said. “Sanix has since been banned from the forum, and C0rpz has posted links to MEGA sharing Collection #1 free of charge to the community.”

Andrei Barysevich, director of advanced collection at Recorded Future, told Threatpost C0rpz is a “relatively new member of several low-level underground communities, and aside from selling databases of compromised email and password combinations, the actor was observed selling a custom-made brute-forcing tool for account stuffing attacks.”

“The actor was the first one to release the data on Jan. 7th,” he told Threatpost. “However, it is doubtful, that C0rpz had stolen the data himself and likely accumulated the records over time from various sources.”

In addition to “C0rpz,” researchers pointed to another actor from a “well-known Russian hacking forum,” who was also observed sharing a large database of 100 billion user accounts, which possibly has some of the same data sets found in Collection #1.

The actor on posted both a (peer-to-peer) magnet link and a direct download link to a database containing 100 billion user accounts hosted on a personal website on Jan. 10.

“While the C0rpz was first observed to release the data on Jan. 7, the Russian actor, who has been a respected member of several hacking communities since 2017, shared the data three days later on Jan. 10,” Barysevich told Threatpost. “Based on a Russian actor’s underground footprint, we assess with a high degree of confidence the he possesses adequate hacking and coding skills and maintains a spotless reputation among his peers.”

Troy Hunt was first alerted to the cache, which totals 87 GB of data, in January after it was spotted being hosted on the MEGA cloud service. The data, which has since been removed, was organized into 12,000 separate files under a root folder called “Collection #1” – which is how it got its name.

But as it turns out, Collection #1 was only a fraction of a larger amount of leaked credentials.

Last week, researchers at the Hasso Plattner Institute in Potsdam, Germany discovered another new trove of stolen data equaling 845 GB and 25 billion records in all (611 million credentials after de-duping).  The latest data dump, dubbed #Collection #2-5″ contained roughly three times as many unique records as Collection #1.

In fact, in all the entire set of compromised credentials totaled 993.53 GB of data, including addresses, cell phone numbers, and passwords, and are made up of the following sets:

“ANTIPUBLIC #1” (102.04 GB)

“AP MYR & ZABUGOR #2” (19.49 GB)

“Collection #1” (87.18 GB)

“Collection #2” (528.50 GB)

“Collection #3” (37.18 GB)

“Collection #4” (178.58 GB)

“Collection #5” (40.56 GB)

Moving forward, researchers warned that the impact of this massive trove of data will continue to be felt, and urged potential victims to reset their passwords.

“Recorded Future assesses with high confidence that the database Collection #1 and its variations will continue to be shared among dark web communities and incorporated in credential-stuffing attacks from various threat actors,” according to researchers.

For impacted victims, the massive seven-database dump on the Dark Web could be used for credential stuffing attacks or phishing attacks targeting exposed email addresses and phone numbers, researchers said.

“The emails and associated passwords were, unfortunately, made readily available to cybercriminals, who can now wreak havoc on the daily lives of the victims,” Terry Ray, senior vice president and Imperva  said in an email. “Armed with the recent and past credentials, hackers could access consumers data, troll social media platforms to spread propaganda, cash in on hard earn airline miles, sell contact data for spammers and even access bank accounts.”

Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

This story was updated Feb. 5 at 12pm with further comments from Recorded Future about Corpz.

Suggested articles