Just two weeks ago a data dump named Collection #1 completely redefined data breaches by
publishing a database of millions of compromised emails and passwords, making up the largest
data dump in history – and already it’s been overshadowed.
Collection #1 was first posted to the file sharing service MEGA, before being removed and shared around more covert hacking forums. The collection contained over 700 million individual email addresses spread across 12,000 files – all of this data was then uploaded to the data breach notification website Have I Been Pwned? where users can enter their email address to find out if it is included in any of the 6.5 billion compromised accounts known by the website.
Since this, we have now seen another data dump almost three times the size. Collection #2-5 contains 2.2 billion usernames and passwords, making up a total of 845GB of data and over 25 billion records, creating a single database for hackers to access account details for hundreds of websites.
The founder of Phosphorus – whose security researchers analysed the involved files – told WIRED that the data has already been made available for download by over 130 users, with more than 1,000 successful downloads so far; with this many copies, it’s likely that the database will never be completely removed from the web.
Similar to Have I Been Pwned?, another data breach notification website has joined the battle against hackers by uploading the more recent Collection files to their records – Info Leak Checker.
So, if this is just a collection of pre-existing data leaks, what’s the big deal?
One of the more common account hacking techniques of today is Credential Stuffing – this method allows a hacker to guess a user’s password, usually by checking their email address against old data leaks in the hopes that they are one of the many people still repeating the same password for multiple online accounts. Having such a large number of records in one location makes this process much easier for these hackers, meaning we are likely to see a big spike in hacked accounts over the next couple months.
If you think you might have been affected by these data dumps – or even if you don’t! – take a minute to check your email address against the 2 sites listed within this blog. For extra account security moving forward, we suggest implementing a password manager to create and remember more complex and unique passwords for all of your accounts, as well as two-factor authentication for more high-risk websites.