Collections #2-5 unearthed with 2.2 billion unique records now exposed online

A render of a black computer screen whit random white characters indicating a bank of passwords, with the word password highlighted in green text
(Image credit: Shutterstock)

Researchers have established that more than 600GB of personal information is circulating online after finding a monster cache of four additional 'Collection' folders.

The Collection #1 leak discovered earlier this month was considered one of the largest leakages of personal data in history, with more than 773 million unique email addresses, and 22 million passwords, found circulating on hacking forums online.

But the scale of this leak has expanded dramatically after researchers with German firm Heise Security uncovered folders named 'Collections #2 to #5', containing swathes of personal data that were harvested from historic data beaches.

The full complement of Collection' data, folders #1 to #, now spans more than 2.2 billion unique email addresses and passwords.

Despite the data's historic nature, sourced from headline data breaches of the past such as the massive Yahoo hack, researchers with Heise Security believe cyber criminals will gamble on users' lax attitude towards password and try out the credentials anyway.

"The current leaks are a good opportunity to rethink your own password strategies," said Heise's Ronald Eikenberg.

"The most important rule is to use a different password for each service. And if you do not want to think up or remember a password for each service, it's best to use a password manager."

After the first batch of records were published online researcher Troy Hunt, who first unearthed Collection #1, suggested that cyber criminals may use the data for credential stuffing' attacks.

When publishing the details around the leak, Hunt also released an unverified list of past data breaches and compromised sites that made up the leak, totalling 2,890 files names, with the earliest breach occurring in 2008.

Just as with Hunt's site HaveIBeenPwned, the German Hasso Plattner Institute with ties to Heise Security runs a service called Identity Leak Checker which people can use to see if their usernames and passwords have been compromised in the Collection leaks.

After news around Collection #1 first broke, Malwarebytes' lead malware intelligence analyst Chris Boyd suggested the key for users and businesses who may be affected is to ensure passwords are limited to one per account.

"This is another good argument for making use of password managers, and especially those with built-in functionality to check current passwords against lists of data breaches," Boyd said.

"If you recognise any of your passwords in the haul, you should stop using it immediately and perform a little behind the scenes maintenance as soon as possible."

The scale of the leak, many times the scale of Collection #1 which was at the time thought to be the biggest single leak in history, is sure to prove staggering to the wider security community.

ESET UK's cyber security specialist Jake Moore believes this is the start of something "far more significant than anything we have ever seen before".

"Hackers are becoming even more sophisticated, and hopefully, this is a massive wake-up call to anyone with an email address," he said.

"The overarching statement here is that we need to adopt stronger layers of security, and this is the time to adopt a new way of managing passwords.

"Using your three rehashed passwords is no longer going to cut it."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.