Over 2 billion emails, passwords stolen: Check if you're safe
Just a few days back, 'Have I Been Pwned' founder Troy Hunt discovered 773 million usernames and passwords in a leaked data dump known as 'Collection #1'. It made headlines around the world, but as it turns out, Collection #1 was just the tip of the iceberg. Researchers in Germany have discovered another insanely massive database carrying 2.2 billion unique records. Here's more.
Researchers from Germany's Hasso Plattner Institute recently discovered a database called 'Collection #2-5'. It was circulating freely via hacker forums and torrents as a file weighing as much as 845GB and carrying 25 billion records in all. The researchers pulled the file and, after accounting for duplicates and non-useful elements, found it had 2.2 billion unique emails and passwords.
Most of the data in Collection #2-5 appears to have come from old data breaches, like Yahoo, Dropbox, and LinkedIn. This seems to suggest that someone decided to offer previously leaked information as a combined package for free. However, it is important to note that not all credentials are old; some 750 million records in the database leaked out for the first time.
The username-passwords landing in the researchers' database for the first time may have been stolen in separate smaller breaches of different websites, Hasso Plattner Institute's researcher David Jaeger told the WIRED.
Though a major tranche of these records comes from old breaches, the sheer size of information leaked here poses a major security threat. Typically, breached data is sold on the Dark Web, but in this case, the data is available freely on torrent websites/forums. This means anyone can access it and then use automated techniques to hack into accounts with unique username-password combinations.
That said, anyone using the same email-password combinations across multiple public sites can be at risk of hacking attempts. Do note that the data dump in question has already been downloaded more than 1,000 times, its Torrent file indicated.
To stay protected, it is recommended to check which of your accounts and passwords have been compromised and then change them accordingly. For this, visit 'Have I Been Pwned' website (https://haveibeenpwned.com) and enter your email. Alternatively, you can also check emails via Hasso Plattner Institute's Identity Leak Checker [https://sec.hpi.de/ilc/search].