Collections 1-5 – Is This The Biggest Data Breach Ever?

Troy Hunt, of HaveIBeenPwned fame, on January 17 reported what may be the biggest data breach ever.  Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows.  That’s right, 2.6 billion rows.   773 million records, from over 12,000 files, with a total size surpassing 87 gigabytes.  That’s a lot of personally identifiable information (PII) about all of us, I would guess.  This information was being  circulated on the popular cloud storage service MEGA for the low, low price of $45.  This is not the Dark Web, it is the regular web.

On January 25, Germany’s Hasso-Plattner Institute (HPI) released a report about a second trove, called Collections 2-5.  This information came from the same source as Collection 1, and it contains another 2.2 billion unique pairs of email addresses and passwords.  This is an astounding 845 GB of data gathered from more than 2000 individual data breaches going back several years.

What this means is that more than one of your passwords may be in list huge list.  So even if you use different passwords on different sites, your credentials for several sites may be in this trove.

Before you go nuts, it seems that much of this data is old and out of date.  Nevertheless, this is something a massive collection of PII, and it would be a miracle if some of your email account and password pairs were not in this vast store. Remember last year’s successful sextortion scam?  This was the phishing attack that claimed to have videos taken by your own web cam of you interacting with porn, and worked by showing victims old passwords as “proof” of access.

I checked to see if my own information might be in this trove, and it seems that I am in the clear, at least, so far.  You can check your own situation at https://haveibeenpwned.com.  While you are at it, check out some of your passwords at Troy’s new Pwned Passwords page.  I highly recommend reading Troy’s report if you are at all interested in the details.

To protect yourself from these sorts of disclosures requires some serious password best practices.  These include:

  • Longer passwords of at least 12 characters
  • Two factor or multi-factor authentication.  Currently I am favoring USB solution such as Yubikey or Google Titan, but authenticator phone apps are good too.
  • Password managers such as LastPass, 1Password, or Dashlane.
  • Sign up at HIBP for breach alerts.  Click on “Notify Me” from the top menu.

The amount of information circulating on the Dark Web is staggering.  You want to be keeping track of any breaches that affect you personally.  There is always the danger of identity theft, or other personal attacks from breaches such as this one.

More information:

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.