'Collections' Data Leak Affects Even More Passwords: The Total Now Comes to 2.2 Billion

Collections Expose 2.2 Billions Emails and Passwords

Two thousand files, 87 GB, and just under 2.7 billion records. This is what cybersecurity expert Troy Hunt was faced with when one of his followers pointed him to a large database of sensitive information. After carefully analyzing and sanitizing the data, Hunt discovered that the numbers aren't quite as enormous. In total, there were 773 million unique email addresses and about 21 million unique passwords. Even so, this still was the largest data dump the Australian researcher had ever seen. What was even more worrying was that the database was called 'Collection #1' which suggested that there might be 'Collection #2'. As it turns out, 'Collection #2' does exist. As do 'Collection #3', 'Collection #4', and 'Collection #5'.

It looks very bad

This time, it wasn't Troy Hunt that first got his hands on the four "Collections". Researchers from Hasso-Plattner Institute (HPI) in Germany analyzed them, and Heise Online (link in German) was the first outlet to report on the findings. According to Wired, which also went through the data, this time, we're talking about 845 GB of data put in around 25 billion records. Between the five collections, there are a total of 2.2 billion email addresses and associated passwords.

The bad news doesn't stop there. One of the most frightening things about Collection #1 was how easily accessible it was. The other four "Collections" are no different. HPI researchers found them on the MEGA file hosting platform, and when Wired asked security expert Chris Rouland to take a look at them, he got them via a torrent that had 130 seeders and had been downloaded more than 1,000 times.

In other words, all these email addresses and passwords are publicly available. You just need the right link and a bit of patience to get them.

The good(ish) news

Like the first dump, we're not talking about a single hacking incident. Apparently, someone has gone through the trouble of taking the data leaked during an unknown number of breaches and putting it all in one big database.

Nobody knows which providers leaked the information, but Wired reckons that most of the credentials are now quite old and therefore invalid. They think that some years ago, clever hackers stole them and abused them, after which their potential monetary value dropped. Eventually, they ended up changing hands for free, and now, they're all collected in one place. The fact that nobody is willing to pay for them doesn't mean, however, that they are worthless.

The dump can still fuel scams and cyberattacks

The age of the email addresses and passwords shouldn't fool us into a false sense of security. Many users don't have a habit of changing passwords at all, and some of those that do employ rotation mechanisms, which means that password reuse is still a problem.

What's more, when scammers started sending sextortion emails with some old passwords last year, many people thought that users would spot the discrepancy and would not cave into the ridiculous demands. In the end, frightened victims ended up paying fraudsters millions of dollars in bitcoins.

Despite their age, the credentials are easy to obtain, and they don't cost a penny which makes them perfect for the crooks that have neither the money nor the resources to put together a sophisticated attack. And you'd be surprised at how many such people there are out there.

Troy Hunt has yet to load the data into his HaveIBeenPwned service, but you can check whether your emails are contained in the five collections using HPI's Identity Leak Checker.

February 1, 2019

Leave a Reply