A huge repertoire containing 2.2 billion email addresses and passwords, one of the largest in history, was discovered and partially analyzed by cybersecurity experts.
This discovery is directly related to that of “Collection 1”, a database whose computer security researcher Troy Hunt had learned of the existence two weeks ago. This first collection contained 772 million email addresses and 21 million passwords stolen over the years by various hackers.
Quickly, other researchers learned that there are four other similar databases, Collections 2 to 5. These bring the total to 2.2 billion compromised identifiers.
These new collections occupy 845 GB of storage space, equivalent to 845 times the Encyclopædia Britannica, which contains 44 million words.
A gold mine for pirates
These billions of identifiers can be used to conduct ID stuffing attacks. This type of attack involves using a computer program to try to connect to multiple sites using identifiers stolen elsewhere on the web. This method is based on the fact that many people use the same password on multiple services.
Hackers can have access to a lot of data about a person, which can be used to threaten them with blackmail in exchange for money. In some cases, attackers could even gain access to a victim’s bank account and steal money.
A well known directory
Collections 1 to 5 seem to be well known in the piracy world, as there are indications that they have already circulated a lot. Chris Rouland, a cybersecurity researcher interviewed by Wired , noticed that the file he downloaded was shared by 130 people and had already been obtained by 1000 Internet users.
This directory has a lot of value for hackers, since it contains several hundreds of millions of identifiers that had apparently never been stolen before. Many identifiers seem to come from relatively old piracy: a good part came from the attacks against LinkedIn and Dropbox, in 2012.
How to protect yourself?
It is strongly recommended that you enable 2-step verification on all of your online accounts when this service is available. Sites that use it will then ask you to enter your password to sign in and a unique code sent through an application or text message. This minimizes the risk that someone other than you can connect to your account.
It is also advisable to use different passwords for each web service and to change them regularly to protect against ID stuffing attacks. Password managers such as 1Password or LastPass can facilitate this practice.
You can visit the Hasso Plattner Institute website to check if your email address is one of those contained in Collections 1 to 5.
With the information from Wired and CNet