Whilst this post dates back almost 4 months, it hadn’t come across my radar until now and inevitably, also hadn’t been sent to the aforementioned tech company. They took it seriously enough to take appropriate action against their (very sizeable) user base which gave me enough cause to investigate it further than your average cred stuffing list. Here’s what I found:
Post on BreachForums in September 2023. Image: The Data Breach Times.
319 files totalling 104GB
70,840,771 unique email addresses
427,308 individual HIBP subscribers impacted
65.03% of addresses already in HIBP (based on a 1k random sample set)
That last number was the real kicker; when a third of the email addresses have never been seen before, that’s statistically significant.