Earlier this month, a sizable 87GB dump of login credentials started making the rounds on popular hacking forums. According to security researcher Troy Hunt, Collection #1 consisted of 773 million unique e-mail addresses and 21 million unique passwords.
The latest leak makes Collection #1 look trivial by comparison.
Affectionately called Collections #2-5, the massive 845 gigabytes of stolen data contains a staggering 25 billion records in total. Of those, there are 2.2 billion unique usernames and passwords.
Chris Rouland, a cybersecurity researcher and founder of the IoT security firm Phosphorus.io, told Wired that this is the biggest collection of breaches they’ve ever seen. Worse yet, it’s already circulating widely among the hacker community. As of yesterday, Rouland said it was being “seeded” by more than 130 people and that it had been downloaded more than 1,000 times.
The likely scenario is that big-time hackers have already gotten their use out of the data and after having been passed around for years, someone finally decided to compile the records into large dumps. The data could still be useful for smaller-scale hackers, however, targeting individual social media accounts, for example.
Hasso Plattner Institute has a tool to check your e-mail address against the data. Troy Hunt’s service, Have I Been Pwned, hasn’t got around to adding Collections #2-5 yet but probably will in the near future.