Russian Cyber Criminal Named as Source of Massive Collection 1 Data Dump

A Russian cyber criminal going by the name of “C0rpz” is believed to be the source of a massive trove of over one billion online credentials known as “Collection 1,” the firm Recorded Future reports.

In a blog post on February 1, Recorded Future’s Insikt research group said that it observed a member of a “well-known Russian hacking forum” who goes by the name “C0rpz” sharing a database of 100 billion user accounts. That archive included the same sets of data that make up Collection 1, Recorded Future wrote.

“Collection 1” was the name given to a massive trove of passwords and other data publicized by the security researcher Troy Hunt, who created the website HaveIBeenPwned. Hunt first called attention to the existence of the archive after integrating its contents with the HaveIBeenPwned tool on January 17.

Collection 1 is a 773 million strong archive of credentials spanning some 12,000 separate files.  Subsequent analysis suggests the collection contains little new data. Rather, it represents the sum of many leaks and credential thefts going back more than three years.

Hunt noted at the time – and subsequent research has confirmed – that at least four other archives were also circulating on the cyber underground totaling billions of records and hundreds of millions of usernames and passwords.

Podcast Episode 125: Long After The Election Kremlin’s Computational Propaganda Campaign Rolls On

Hunt has noted that, while the data in them is not new, the collections increase the risk of their contents falling into the hands of cyber criminals or being used in automated “credential stuffing” attacks and other malicious activity.

In their analysis, Recorded Future’s Insikt Group points to Russian language hacker forums as the source of the stolen credential collections. By observing these forums directly, Recorded Future researchers were able to identify users offering links to databases of stolen credentials in the period from January 10th to January 17th, 2019.

In all, Recorded Future said it observed links to seven databases containing 993.53 GB of data. Those included three different variations of user credentials: email addresses and passwords, usernames and passwords, and cell phone numbers and passwords. In addition to the five collections already mentioned, Recorded Future noted two other archives being swapped on the Russian forums: “ANTIPUBLIC #1,” a 102 GB archive and“AP MYR & ZABUGOR #2,” a 19 GB archive.

Recorded Future analysis focused on the user “C0rpz” as the original creator and seller of Collection #1 as early as January 7, 2019. That data was sold to other forum members, including one named “Sanix,” who acquired the data and attempted to resell it to other forum members.

According to Recorded Future, Sanix was the individual identified by Brian Krebs in his article “773M Password ‘Megabreach’ is Years Old.”

Despite the post, Recorded Future rated their confidence in the assessment that the user “C0rpz” is the source of Collection 1 as “medium.” They noted that a January 10th post by a user of a well known Russian speaking hacker forum also posted a link to a 100 billion user account database that included the Collection 1 data. However, the company did not name that threat actor.

For individuals and organizations, the result is the same. Recorded Future notes that, regardless of who is responsible for the leaks, their easy availability in hacking forums will result in the data contained in the databases being used in credential-stuffing attacks from various threat actors.