Collections 1-5 – Is This The Biggest Data Breach Ever?

Troy Hunt, of HaveIBeenPwned fame, on January 17 reported what may be the biggest data breach ever.  Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows.  That’s right, 2.6 billion rows.   773 million records, from over 12,000 files, with a total size surpassing 87 gigabytes.  That’s a lot of personally identifiable information (PII) about all of us, I would guess.  This information was being  circulated on the popular cloud storage service MEGA for the low, low price of $45.  This is not the Dark Web, it is the regular web.

On January 25, Germany’s Hasso-Plattner Institute (HPI) released a report about a second trove, called Collections 2-5.  This information came from the same source as Collection 1, and it contains another 2.2 billion unique pairs of email addresses and passwords.  This is an astounding 845 GB of data gathered from more than 2000 individual data breaches going back several years.

What this means is that more than one of your passwords may be in list huge list.  So even if you use different passwords on different sites, your credentials for several sites may be in this trove.

Before you go nuts, it seems that much of this data is old and out of date.  Nevertheless, this is something a massive collection of PII, and it would be a miracle if some of your email account and password pairs were not in this vast store. Remember last year’s successful sextortion scam?  This was the phishing attack that claimed to have videos taken by your own web cam of you interacting with porn, and worked by showing victims old passwords as “proof” of access.

I checked to see if my own information might be in this trove, and it seems that I am in the clear, at least, so far.  You can check your own situation at  While you are at it, check out some of your passwords at Troy’s new Pwned Passwords page.  I highly recommend reading Troy’s report if you are at all interested in the details.

To protect yourself from these sorts of disclosures requires some serious password best practices.  These include:

  • Longer passwords of at least 12 characters
  • Two factor or multi-factor authentication.  Currently I am favoring USB solution such as Yubikey or Google Titan, but authenticator phone apps are good too.
  • Password managers such as LastPass, 1Password, or Dashlane.
  • Sign up at HIBP for breach alerts.  Click on “Notify Me” from the top menu.

The amount of information circulating on the Dark Web is staggering.  You want to be keeping track of any breaches that affect you personally.  There is always the danger of identity theft, or other personal attacks from breaches such as this one.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.