skip to Main Content

The “Collection #1” Data Breach could be useful to the cyber security experts

The “Collection #1” Data Breach Could Be Useful To The Cyber Security Experts

The “Collection #1” data breach could also have a positive effect on cyber security. Marco Ramilli of Yoroi, analyzing it, answered three questions that could led to better understand users behaviours and improve their protections against cyber threats

The case of the “Collection #1” data breach, published by Troy Hunt (773 Millions of new Records), had also a positive effect. It led the cyber security experts pose some questions and give answers. Analyzing it, in fact, is possible to learn a lot on how’s changing the web experience from the users point of view. And consequently the threats and the weaknesses, that could be exploited by bad actors to launch cyber attacks. Marco Ramilli, white-hat hacker and founder of Yoroi, downloaded a copy of the database, considered the biggest leaked compilation in history. He studied it and he answered three questions, useful to better protect systems against cyber attacks. 1) “What are the most used passwords ?“; 2) “What are the domain names of the most leaked emails?”; 3) “what sources data is coming from’”.

What are the most used passwords?

“So far the most used passwords are: ‘123456’, “q1w2e3r4t5y6’, ‘123456789’, ‘1qaz2wsx3edc’, followed by most common passwords like ‘12345678’ and ‘qwerty’,” the cyber security expert noted in a post on his blog. “By observing the current graph and comparing it to common researches on frequently used passwords, we might appreciate a significative difference: the pattern complexity! In fact, while years ago the most used passwords were about names, dates or simple patters such as ‘qwerty’, today we observe a significative increase in pattern complexity, but still too easy to be brute-forced”.

What are the domain names of the most leaked emails?

About the “Collection #1” data breach domain names of the most leaked emails, “are not the most vulnerable but rather the most used ones,” Ramilli continued. “I’m not saying that those domains are/or have been vulnerable or Pwned, but I am trying to find what are the most leaked email providers. In other words if you receive an email from ‘’ what is the probability that it has been leaked and potentially compromised ? Again I cannot answer to such a question since I do not have the total amount of ‘’ accounts all around the word, but I think it might be a nice indicator to find out what are the most leaked email domain names”. However, “the most leaked emails come from ‘’, ‘’, ‘’ and ‘’. This is quite interesting since we are mostly facing personal emails providers (domains) rather then professional emails providers (such as So apparently, attackers are mostly focused in targeting people rather then companies (maybe attacking not professional websites and/or distributing malware to people rather then companies domain names). Another interesting data to know is about the unique leaked email domain names: 4426, so far!”.

What sources data is coming from?

On the last question about the data breach, Ramilli explained that “i made some deductions from the data leaked structure. Each folder holds .TXT files which have names that look like domain names. Some of those are really domain names (tested), some other are on-sale right now, and many other seems to just look like a domain, but I had no evidences of them,” the cyber security experts resports. “Anyway I decided to assume that the file names looking like domain names are the domain from which the attacker leaked informations. So, having such in mind we might deduce where the attacker extracted the data (username and passwords) and perform a personal evaluation about the leaked information”.

Photo Credits: Troy Hunt

Back To Top