We learned a few days ago that a hacker shared a huge collection of username and passwords, including some 773 million unique accounts and more than 21 million different passwords. “Collection #1,” he or she called it. We soon learned that Collection #1 was just the beginning, and now we’re finally getting an idea of just how big this cache of stolen data truly is.
A new report explains that Collections #2 through #6 are also available online, amounting to a massive stash of more than 2.2 billion unique usernames and associated passwords. This data is being passed around on hacker forums and using torrents, and you don’t even have to pay for it at this point.
After security researcher Troy Hunt identified the first collection of data, researchers at the Hasso Plattner Institute in Potsdam, Germany discovered the entire database, concluding that the complete collection is close to three times the size of the Collection #1 batch, Wired explains. Most of the stolen data comes from previous breaches, which isn’t much of a surprise, including breaches from Yahoo, LinkedIn, and Dropbox. However, Collections #1 through #6 also contain data that was not previously included in other stolen data that was discovered.
Researchers found that 750 million of the credentials weren’t included in their databases and 611 million of the credentials in Collections #2-5 were not part of Collection #1. Some of the data may originate from obscure websites, which means this is the first time some usernames/password combinations have been leaked.
The Hasso Plattner Institute has a tool that you can use to see if your data was compromised. If you already checked your email accounts after we found out about Collection #1 using Hunt’s tool, you should do it again with this new website. Just input the email address you want to verify, and the results will be emailed to you.
As before, make sure you use unique passwords for every online service, and a password management application to generate and save strong passwords for your accounts. Reusing the same passwords across services is a sure-fire way to get hacked, as attackers will often try the same user/password combinations on multiple online services.