February 2, 2019 at
Hackers have been exploiting vulnerabilities, stealing data, selling information, and combining login credentials for decades now. Every now and then, a new major breach is reported, and year after year, the definition of a ‘big breach’ is getting changed to fit the new exploit.
Now, however, the definition is going to be reconsidered again, after the new, massive data dump has been discovered.
Several weeks ago, a website called Have I Benn Pwned? included a newly-found database that had around 773 million unique email addresses, as well as 21 million passwords. The data was found on an undisclosed hacking forum, and it was believed to be one of the largest data dumps in recent years. Researchers have named this Collection #1, and anyone wishing to check if their data was affected could have done so by going to Have I Been Pwned? site.
Now, however, Collections #2-5 have been uncovered as well, and the total number of affected accounts has skyrocketed to 2.2 billion. The second cache was found by Germany’s Hasso-Plattner Institute (HPI), and its researchers have confirmed that this data and Collection #1 come from the same collection.
Newly discovered data
Collection #1 was created from over 2,000 smaller breaches, resulting in 87GB of data. Collections #2-5, on the other hand, contain 25 billion records, with around 845GB of data in total.
2,2 Billion accounts is a large number, and it represents around 30% of all the people on the planet right now. However, it is likely that not all of these accounts belong to separate individuals, which is the good news. Another positive thing that not much of this data is new. In fact, most of it is years old. Even so, those affected by the past breaches should not ignore the situation, even if they were affected years ago, and nothing happened to endanger them as of yet.
Hackers are known for having patience, and they will try any email and password combination on any website they can think of. If users continue to put the same login credentials everywhere, sooner or later, some of their accounts will be breached.
Another concerning conclusion is how the stolen information travels around. After original data theft, hackers will likely try to sell it to give other attackers a potential chance of accessing accounts of the service that the data was stolen from. Whether they work or not, the login credentials will then be traded again. Because of this, hackers are performing credential stuffing attacks, which work by reusing login credentials on as many different sites as possible, while trying to find the working combination.
One of the most valuable conclusions from these discoveries is the fact that criminals have started making massive databases by combining information stolen in numerous smaller breaches. It is also believed that these data collections got dumped now because they were old and mostly exploited, or because the majority of the hackers already have access to it.
What to do next?
The first thing that concerned users should do is check if their login credentials were found in one of the Collections. At this time, Have I Been Pwned? only contains Collection #1, while the HPI data contains the other four collections.
If users discover that some of their information was stolen in a breach, they should immediately change their passwords on every website. It is also recommended to use a password manager, which will remember the password for them. New passwords should be unique, different on every website and for every account, but also complex, with letters, numbers, symbols, and alike.
Users should also activate additional protective measures, such as two-factor authentication, on every website that offers this option.