Collections #2-5 unearthed with 2.2 billion unique records now exposed online

The gargantuan 87GB Collection #1 leak is dwarfed by the now-600GB of exposed data circulating online

Password

Researchers have established that more than 600GB of personal information is circulating online after finding a monster cache of four additional 'Collection' folders.

The Collection #1 leak discovered earlier this month was considered one of the largest leakages of personal data in history, with more than 773 million unique email addresses, and 22 million passwords, found circulating on hacking forums online.

But the scale of this leak has expanded dramatically after researchers with German firm Heise Security uncovered folders named 'Collections #2 to #5', containing swathes of personal data that were harvested from historic data beaches.

The full complement of Collection' data, folders #1 to #, now spans more than 2.2 billion unique email addresses and passwords.

Despite the data's historic nature, sourced from headline data breaches of the past such as the massive Yahoo hack, researchers with Heise Security believe cyber criminals will gamble on users' lax attitude towards password and try out the credentials anyway.

"The current leaks are a good opportunity to rethink your own password strategies," said Heise's Ronald Eikenberg.

"The most important rule is to use a different password for each service. And if you do not want to think up or remember a password for each service, it's best to use a password manager."

After the first batch of records were published online researcher Troy Hunt, who first unearthed Collection #1, suggested that cyber criminals may use the data for credential stuffing' attacks.

When publishing the details around the leak, Hunt also released an unverified list of past data breaches and compromised sites that made up the leak, totalling 2,890 files names, with the earliest breach occurring in 2008.

Just as with Hunt's site HaveIBeenPwned, the German Hasso Plattner Institute with ties to Heise Security runs a service called Identity Leak Checker which people can use to see if their usernames and passwords have been compromised in the Collection leaks.

After news around Collection #1 first broke, Malwarebytes' lead malware intelligence analyst Chris Boyd suggested the key for users and businesses who may be affected is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," Boyd said.

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

The scale of the leak, many times the scale of Collection #1 which was at the time thought to be the biggest single leak in history, is sure to prove staggering to the wider security community.

ESET UK's cyber security specialist Jake Moore believes this is the start of something "far more significant than anything we have ever seen before". 

"Hackers are becoming even more sophisticated, and hopefully, this is a massive wake-up call to anyone with an email address," he said.

"The overarching statement here is that we need to adopt stronger layers of security, and this is the time to adopt a new way of managing passwords.

"Using your three rehashed passwords is no longer going to cut it."

Featured Resources

Edge-enabled mobility of the future

Turning vehicle data into value

Download now

Modern networking for the borderless enterprise

Five ways top organisations are optimising networking at the edge

Download now

Address multi-cloud configuration risks

Cloud security challenges and how to overcome them

Watch now

The total economic impact of IBM Security Verify

Cost savings and business benefits enabled by IBM Security Verify

Download now

Recommended

How to enable private browsing on any device
privacy

How to enable private browsing on any device

8 Mar 2021
Monero miners target cloud-native development environments
cryptocurrencies

Monero miners target cloud-native development environments

5 Mar 2021
IT security awareness and training firm KnowBe4 acquires MediaPRO
Acquisition

IT security awareness and training firm KnowBe4 acquires MediaPRO

3 Mar 2021
High-risk email security threats increased by 32% last year
phishing

High-risk email security threats increased by 32% last year

3 Mar 2021

Most Popular

UK gov flip-flops on remote work, wants it a standard for all jobs
flexible working

UK gov flip-flops on remote work, wants it a standard for all jobs

5 Mar 2021
Star Alliance passenger data stolen in SITA data breach
data breaches

Star Alliance passenger data stolen in SITA data breach

5 Mar 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021