A couple of weeks ago, the largest-ever collection of stolen usernames and passwords were dumped online in what hackers called Collection #1. Due to that name, many speculated that it could be just the beginning. It appears those speculations were correct because now an even bigger collection has found its way onto the dark web, and this time, it is being called Collections #2-5.
Collections #2-5 dump is the biggest ever
Collections #2-5 is a mammoth 845 GB of stolen data which includes 25 billion records in all. Even though it is a collection of previously-stolen account information, what’s particularly threatening about it is that the dumped data includes 2.2 billion unique usernames and passwords.
Cybersecurity researcher Chris Rouland, founder of the IoT security firm Phosphorus.io, told Wired it is the biggest-ever collection of stolen data and is being circulated freely throughout the hacker community. Rouland added that as of Wednesday, it was being “seeded” by more than 130 people and had already been downloaded more than 1,000 times.
Such a massive collection of login credentials was probably dumped by big-time hackers who have already used it and have now shared it with the rest of the hacking community. The stolen data could still be useful to hackers who focus more on individual social accounts.
“When enough people have secret data, someone shares it,” Rouland says. “It’s entropy. When the data is out there, it’s going to leak.
Old data can still be useful
Much of the data in Collections #2-5 is from old breaches, like from Yahoo, LinkedIn and Dropbox. However, some data appears to be new and likely came from breaches of smaller websites. Thus, it could still be useful.
The majority of the stolen credentials might be old, but it has been seen that a small percentage of users don’t bother to change their password at all or continue using the same passwords for years. Hackers are also aware of this trend, and thus, they target such users. Even if just one-tenth of 1% of the people in the latest leak of 2.2 billion email addresses still use the same password, it still is a big number.
Hackers usually use a technique called credential stuffing, in which bots are used to enter the same set of login information into multiple services. If someone uses the same credentials that were leaked in the LinkedIn or any other breach for their bank accounts, then it would be like hitting the jackpot for hackers.
According to researchers at the Hasso Plattner Institute, about 611 million credentials in the latest dump were not part of the Collection #1 leak, and about 750 million of the credentials weren’t included in their databases. However, it is not clear if this data has been circulated in other ways. What is clear is that with more than 2 billion email addresses and passwords circulating, there is a very good chance it includes at least one of yours.
What should you do?
It is advisable that you check if your credentials are also part of the Collections #2-5 dump. Even if you checked your email accounts using Hunt’s tool after the Collection #1 dump, you are advised to recheck them. Troy Hunt, owner of the HaveIBeenPwned website, has yet to add Collections #2-5 to his database.
Thus, you can use the Hasso Plattner Institute’s Identity Leak Checker, which has added the Collections #2-5 database. All you need to do is enter your email address, and the site will then send you an email on the ID that you entered. It will inform you if the email ID has ever been included in a breach, including the most recent one, and include your IP address and other details.
The checker also indicates if a password has been matched to the email ID you entered. However, it can’t tell how recent that password is. Still, if your email ID is involved, it is a good idea to change the password again.
The password you choose must be unique and strong, but make sure that you can remember it. You can opt for two-factor authentication if it is available. Although it isn’t foolproof, it does give you an additional layer of security. You can also use a password manager to help you automatically generate strong passwords for your online accounts.