In recent years, hackers have breached companies like Dropbox and LinkedIn by stealing 71 million and 117 million passwords, respectively. This month, Troy Hunt, security researcher identified the first portion of the data dump, named Collection #1, which has a set of breached databases. He represented 773 million unique usernames and passwords. Other researchers have now obtained and analyzed an additional vast database called Collections #2–5. It has 845 gigabytes of stolen data and 25 billion records in all.
So you know that massive dump from a few weeks ago (Collection 18 only)? Well it's now turn for Collection #2-5, which contains 2.19 billion email addresses and passwords.https://t.co/z8ppkWfpW8
— Sean Wright (@SeanWrightSec) February 1, 2019
German news site Heise reported that Collection of 2.2 billion unique usernames and associated passwords has been distributed on hacker forums and torrents. According to the researchers at the Hasso Plattner Institute, 611 million credentials in Collections #2–5 weren’t included in the Collection #1 database. Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who also pulled Collections #1–5 from torrented files, said, “This is the biggest collection of breaches we’ve ever seen.”
According to Rouland, as the collection has already been circulated amongst hackers, the tracker file which he downloaded was being seeded by more than 130 people who possessed the data dump. It has also been downloaded more than 1,000 times.
In a statement to WIRED, Rouland said, “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain.”
According to WIRED, most of the stolen data appears to come from previous thefts, like the breaches of LinkedIn, Yahoo, and Dropbox. WIRED has examined a sample of the data and further confirmed that the credentials are valid, but mostly represent passwords from the previous years’ data leaks.
This collection could be used as a powerful tool for unskilled hackers as they can try a technique called credential stuffing. With this technique, users can try previously leaked usernames and passwords on any website with the hope that people have reused passwords.
Rouland said, “For the internet as a whole, this is still very impactful.”
Who knows if we are targeted too? What should one do?
Users can check for their usernames in the breach using Hasso Plattner Institute’s tool. This identity leak checker asks for users’ email address then uses that email ID to generate a list of information including users’ name, IP address, and password, if applicable. It tells the users if a password has been matched to their email address. It can also tell how recent that password actually is.
One should change passwords for any breached sites it flags. It is advisable to not reuse passwords, and use a password manager. A password manager can automatically generate unique, secure passwords for the services a user uses. Users should turn on the two-factor authentication wherever possible. Though the two-factor authentication isn’t foolproof, it provides a layer of security.
Troy Hunt’s service HaveIBeenPwned helps in checking if the passwords have been compromised, though it doesn’t yet include Collections #2-5.