1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Collections #2-5, 845GB of stolen usernames and passwords, are circulating among hackers

By Shawn Knight · 9 replies
Jan 31, 2019
Post New Reply
  1. Earlier this month, a sizable 87GB dump of login credentials started making the rounds on popular hacking forums. According to security researcher Troy Hunt, Collection #1 consisted of 773 million unique e-mail addresses and 21 million unique passwords.

    The latest leak makes Collection #1 look trivial by comparison.

    Affectionately called Collections #2-5, the massive 845 gigabytes of stolen data contains a staggering 25 billion records in total. Of those, there are 2.2 billion unique usernames and passwords.

    Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, told Wired that this is the biggest collection of breaches they’ve ever seen. Worse yet, it’s already circulating widely among the hacker community. As of yesterday, Rouland said it was being “seeded” by more than 130 people and that it had been downloaded more than 1,000 times.

    The likely scenario is that big-time hackers have already gotten their use out of the data and after having been passed around for years, someone finally decided to compile the records into large dumps. The data could still be useful for smaller-scale hackers, however, targeting individual social media accounts, for example.

    Hasso Plattner Institute has a tool to check your e-mail address against the data. Troy Hunt’s service, Have I Been Pwned, hasn’t got around to adding Collections #2-5 yet but probably will in the near future.

    Lead image courtesy posteriori via Shutterstock

    Permalink to story.

     
  2. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,758   +1,149

    Just in case anyone is wondering, it won't tell you where nor passwords.

    This being a huge dump, besides downloading it and start crawling through, anyone knows of a better way to figure out which services and passwords were compromised?
     
  3. avioza

    avioza TS Addict Posts: 199   +149

    Haveibeenpwned.com

    Was helpful for me.
     
  4. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,758   +1,149

    It just tells you that there is something for the #1, however doesn't tell which passwords or services. I'm assuming most of it is from older breaches.
     
  5. Plutoisaplanet

    Plutoisaplanet TS Booster Posts: 87   +69

    One of my emails has only ever had two things it's signed up for and is listed on the collections. Outlook/Skype and Facebook. Neither of those are actually breached now nor have ever been breached. It has no breaches listed on Haveibeenpwned.com.
     
  6. toooooot

    toooooot TS Evangelist Posts: 725   +343

    Is there a chance 12345 isn't on the list? I just updated my password after stupid website forced me to. Would be sad if this password was common.
     
  7. Emexrulsier

    Emexrulsier TS Evangelist Posts: 596   +76

    I used to use this site myself but I know 100% that it doesnt show all leaks. EA once got hacked releasing all I think it was the battlefield online account details. I remember downloading the leak and sure enough my email and password was in that file. Haveibeenpwned doesn't even mention this leak even though EA is massive.
     
  8. Bubbajim

    Bubbajim TechSpot Staff Posts: 639   +614

    To be fair, HIBP is basically run by one dude who's just trying to host a helpful service for people. It's still a great tool, and it gets people thinking about their own cyber-security, which most people only do once it's too late.
     
  9. Knot Schure

    Knot Schure TS Addict Posts: 226   +97

    Can someone post a link to it, so we know, er, not to go there?
     
  10. Kibaruk

    Kibaruk TechSpot Paladin Posts: 3,758   +1,149

    However it would make more sense and be way more useful if he would separate the collections per services, he already did the hard part to compile everything, with a couple of querys on the info it shouldn't be easy to show which services are the account associated with.
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...