According to Hasso Plattner Institute, a German research group, approximately 2.2 billion stolen records have surfaced online for criminals to access and share. Initially, almost 773 million unique usernames and passwords were thought to have been exposed online. Security researcher Troy Hunt identified the first grouping named Collection #1 by its anonymous creator.
But analysts from the Hasso Plattner Institute now say they’ve obtained and analyzed four more batches of stolen account information called Collections #2-5. After accounting for duplicates, the Hasso Plattner Institute found that the total haul represents close to three times the Collection #1 batch.
The collection of 2.2 billion unique usernames and passwords doesn’t appear to stem from a massive new data breach but is likely a combination of consumer information stolen over the years in previous thefts from companies like Yahoo, LinkedIn, and Dropbox. The discovery was first reported by the German tech news website Heise.de and later by WIRED, an American technologies publication site.
Chris Rouland, a cybersecurity researcher and founder of an IoT security firm, who extracted Collections #1-5 says “this is the biggest collection of breaches we’ve ever seen.” He says the collection has been circulating among hackers and has already been downloaded more than 1,000 times.
Though the passwords may be outdated for certain accounts, hackers may still try to use them for credential surfing, a technique where scammers try to access consumers’ other accounts on any public internet site in the hopes that people have reused their passwords. The stolen email addresses are also a valuable tool for use in phishing email scams and attacks.
You can check whether your own email address or passwords have been compromised in the breach using Hasso Plattner Institute’s online tool. In addition, Better Business Bureau and Consumer Reports offer these tips for keeping your data safe.
- Use strong passwords. Long, random sets of uppercase letters, lowercase letters, and special characters are best. And using different passwords for different accounts is also important.
- Turn on two-factor authentication. When it’s available make sure you’ve enabled multi-factor authentication, also known as two-factor authentication, on your accounts. This requires you to enter a second form of identification – such as a code texted to your phone in addition to your password, before accessing your account.
- Keep a clean machine. Install a firewall, anti-virus and anti-spyware. Check for and install the latest updates and run virus scans regularly on your computer, tablet and smartphone.