Collection #2-5 data dump is three times the size of #1

A fortnight ago Collection #1 set the record for the world’s largest online data breach. It turns out it was just a fraction of what has been out there all along

Earlier this month a data leak dubbed Collection #1 was discovered by internet security researcher Troy Hunt on popular file-sharing site MEGA and dark web hacking forums. The collection contained over 773 million email addresses and passwords and was considered the largest ever online data breach.

But new evidence has emerged that this dump represents just one tranche of a mega-dump comprising five collections that have been floating around hacker forums and torrent indexes. In total, the four collections amount to 845 gigabytes of stolen data and 25 billion records – tripling the data breach record set by Collection #1.

The new batch, first reported by Heise.de, is like its predecessor in that it is an amalgamation of stolen data from a series of high profile recent thefts, like the Yahoo and DropBox breaches.

On the face of it, then, it may seem like you have nothing to worry about if you changed your details last time around. But the problem is many still haven’t, and having the data hashed out in one big dump is prime-feed for adversarial hackers seeking to carry out high-scale credentials stuffing campaigns. It is also not clear how long the latest breach has been floating around the dark web for.

The data also includes 750 million records that weren’t previously included in databases of leaked usernames and passwords. According to Hasso Plattner Institute researcher David Jaegar, this suggests that the new batch includes bounty from small, low-profile hacks that are being leaked for the first time.

“In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk,” Tim Bandos VP of Cybersecurity at Digital Guardian told Techerati.

“Consider using a password manager. There are a number of easy-to-use password apps out there, many of which are free. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately.”

It is recommended that you visit Troy Hunt’s Have I Been Pwned site to see if your details have been compromised. Simply enter your email address and Hunt’s service will let you know if you have been affected by this breach or by others.