Collections 1-5 – Is This The Biggest Data Breach Ever?

Troy Hunt, of HaveIBeenPwned fame, on January 17 reported what may be the biggest data breach ever.  Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows.  That’s right, 2.6 billion rows.   773 million records, from over 12,000 files, with a total size surpassing 87 gigabytes.  That’s a lot of personally identifiable information (PII) about all of us, I would guess.  This information was being  circulated on the popular cloud storage service MEGA for the low, low price of $45.  This is not the Dark Web, it is the regular web.

On January 25, Germany’s Hasso-Plattner Institute (HPI) released a report about a second trove, called Collections 2-5.  This information came from the same source as Collection 1, and it contains another 2.2 billion unique pairs of email addresses and passwords.  This is an astounding 845 GB of data gathered from more than 2000 individual data breaches going back several years.

What this means is that more than one of your passwords may be in list huge list.  So even if you use different passwords on different sites, your credentials for several sites may be in this trove.

Before you go nuts, it seems that much of this data is old and out of date.  Nevertheless, this is something a massive collection of PII, and it would be a miracle if some of your email account and password pairs were not in this vast store. Remember last year’s successful sextortion scam?  This was the phishing attack that claimed to have videos taken by your own web cam of you interacting with porn, and worked by showing victims old passwords as “proof” of access.

I checked to see if my own information might be in this trove, and it seems that I am in the clear, at least, so far.  You can check your own situation at  While you are at it, check out some of your passwords at Troy’s new Pwned Passwords page.  I highly recommend reading Troy’s report if you are at all interested in the details.

To protect yourself from these sorts of disclosures requires some serious password best practices.  These include:

  • Longer passwords of at least 12 characters
  • Two factor or multi-factor authentication.  Currently I am favoring USB solution such as Yubikey or Google Titan, but authenticator phone apps are good too.
  • Password managers such as LastPass, 1Password, or Dashlane.
  • Sign up at HIBP for breach alerts.  Click on “Notify Me” from the top menu.

The amount of information circulating on the Dark Web is staggering.  You want to be keeping track of any breaches that affect you personally.  There is always the danger of identity theft, or other personal attacks from breaches such as this one.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.