Earlier this month we saw what was considered to be the largest ever dump of stolen internet accounts with 773 million email addresses and 21 million passwords. The dump of compromised accounts was called “Collection #1”. Now, Collections #2-5 have been dumped and the numbers are staggering: 845GB of stolen data that includes 25 billion total records and 2.2 billion unique usernames and passwords.
As reported by Wired, Collections #2-5 more than double the number of comprised accounts that have surfaced from Collection #1. Security researchers have concluded that 25 billion stolen records with 2.2 billion unique usernames and passwords are the numbers after accounting for duplicates found in Collections #2-5, creating a new record for the biggest data breach collection.
“This is the biggest collection of breaches we’ve ever seen,” says Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, who pulled Collections #1–5 in recent days from torrented files.
Unfortunately, this massive collection of data has been making the rounds on the black market and Rouland says that the collection has been downloaded over 1,000 times on torrent sites already.
He could see that the tracker file he downloaded was being “seeded” by more than 130 people who possessed the data dump, and that it had already been downloaded more than 1,000 times. “It’s an unprecedented amount of information and credentials that will eventually get out into the public domain,” Rouland says.
Notably, much of the stolen information stems from prior breaches of Yahoo, LinkedIn, and Dropbox, but has just now surfaced with these massive dumps.
The sheer size of the collection also means it could offer a powerful tool for unskilled hackers to simply try previously leaked usernames and passwords on any public internet site in the hopes that people have reused passwords—a technique known as credential stuffing. “For the internet as a whole, this is still very impactful,” Rouland says.
You can check if any of your accounts have been compromised as a part of Collection #1 at Have I Been Pwned. Wired notes that Have I been Pwned hasn’t been updated with Collections #2-5 yet, but the Hasso-Plattner Institute’s tool has been.