Over 2 billion emails, passwords found on sale


03 Feb 2019

Over 2 billion emails, passwords stolen: Check if you're safe

Just a few days back, 'Have I Been Pwned' founder Troy Hunt discovered 773 million usernames and passwords in a leaked data dump known as 'Collection #1'.

It made headlines around the world, but as it turns out, Collection #1 was just the tip of the iceberg.

Researchers in Germany have discovered another insanely massive database carrying 2.2 billion unique records.

Here's more.

Collection #2-5

25 billion records found circulating online

25 billion records found circulating online

Researchers from Germany's Hasso Plattner Institute recently discovered a database called 'Collection #2-5'.

It was circulating freely via hacker forums and torrents as a file weighing as much as 845GB and carrying 25 billion records in all.

The researchers pulled the file and, after accounting for duplicates and non-useful elements, found it had 2.2 billion unique emails and passwords.


Is this a fresh data breach?

Most of the data in Collection #2-5 appears to have come from old data breaches, like Yahoo, Dropbox, and LinkedIn.

This seems to suggest that someone decided to offer previously leaked information as a combined package for free.

However, it is important to note that not all credentials are old; some 750 million records in the database leaked out for the first time.

Love Tech news?

Stay updated with the latest happenings.

Yes, notify me

How these username-passwords leaked?

The username-passwords landing in the researchers' database for the first time may have been stolen in separate smaller breaches of different websites, Hasso Plattner Institute's researcher David Jaeger told the WIRED.


Now, this poses a major security threat

Now, this poses a major security threat

Though a major tranche of these records comes from old breaches, the sheer size of information leaked here poses a major security threat.

Typically, breached data is sold on the Dark Web, but in this case, the data is available freely on torrent websites/forums.

This means anyone can access it and then use automated techniques to hack into accounts with unique username-password combinations.

People using same passwords across multiple sites possibly at risk

That said, anyone using the same email-password combinations across multiple public sites can be at risk of hacking attempts. Do note that the data dump in question has already been downloaded more than 1,000 times, its Torrent file indicated.


How to stay protected?

To stay protected, it is recommended to check which of your accounts and passwords have been compromised and then change them accordingly.

For this, visit 'Have I Been Pwned' website (https://haveibeenpwned.com) and enter your email.

Alternatively, you can also check emails via Hasso Plattner Institute's Identity Leak Checker [https://sec.hpi.de/ilc/search].

Share this timeline

Data Breach


Dark Web

David Jaeger



Hasso Plattner Institute

Identity Leak Checker



Troy Hunt


Share this timeline

Ask NewsBytes
User Image

Most asked questions

How can I get breach notifications?

Does this breach affect Indian users?

How to secure emails?

Were these passwords encrypted?

More questions

How can I get breach notifications?

Asked 2019-02-03 12:11:35 by Aaradhya Singhal

Answered by NewsBytes

You can get breach notifications by sign up for notification alerts on Have I Been Pwned website.

Does this breach affect Indian users?

Asked 2019-02-03 12:11:35 by Diya Khan

Answered by NewsBytes

The data dumps are totally random and could be affecting many users in India too. Mine was affected.

How to secure emails?

Asked 2019-02-03 12:11:35 by Amit Mittal

Answered by NewsBytes

For security, keep different email-password combinations for different websites and keep changing them from time to time.

Were these passwords encrypted?

Asked 2019-02-03 12:11:35 by Pari Banerjee

Answered by NewsBytes

Some encrypted but millions were unhashed plaint-text passwords too.

Next Timeline