Collection #2 to #5 exposes 2.2 billion users with more to come

Collection #2

Hot on the heels of the release 773 million user’s details in Collection #1 comes Collection #2 to #5 with 2.2 billion unique user’s details.

GadgetGuy reported on Collection #1 on 18 January and the advice to check if you have been Pwned is more important than ever. Collection #2 to #5 has 2.2 billion user’s details from breaches including Yahoo, LinkedIn, and Dropbox and other sources. It is 845GB in size!

Collection #2 to #5

I put my private email address into a new search site hosted by the Hasso-Plattner-Institut and within seconds received an email with good and bad news. Yes, my email address and then passwords had been exposed but personal data had not. In many respects that is because I have also been very careful with exposing data to anyone. HPI state that 8,165,169,702 user accounts have been Pwned!

Collection #2 to #5

Passwords are gold – check them

Next check your commonly used passwords here. That is how I found which passwords hackers had access to. Change them quicksmart.

KrebsonSecurity has a good outline of the value of an email login and password

Collection #2 to #5

The release of Collection #2 to #5 is both good and bad news.

The good is that it has drawn attention to the issue and every reader should act now by checking their email addresses/passwords and change them all.

The bad is that, as Kaspersky has predicted, the new threat comes from newer, inexperienced and ‘hungry’ cybercriminals in South-east Asia. This list is gold to them, and you can bet it will be fed into their massive automated spear phishing operations and user profiles as you read this!

That means more dangerous spear phishing, more poorly spelt emails and more breaches. It also means these new cybercriminals will start attacking social media and other common accounts.

And the worry is that the ‘professional’ cybercriminals can dump 2.2 billion ‘used’ names means that they still have more breaches they are using.

GadgetGuy’s take:

Collection #2 to #5 makes privacy and security a pipe dream

You may recall that I wrote about the Starwood data breach on 4 December. Having spent much of my life in the meetings industry and as a foundation member of the Sheraton Asia Pacific Advisory Board I spent much time in said Starwood properties.

About that time I started getting junk emails from my email address! That meant a hacker had managed to compromise an old webmail account. And I started getting invalid password messages on all manner of accounts from Airbnb to Woolworths and everything in between.

The problem is that I had used a single generic password for non-critical accounts and the hacker had accessed many of these and changed them. I spent much of Christmas leave changing over 30 accounts passwords. Some accounts were very hard to change because no sooner as I changed the password, the hacker would change it again.

The point is simply this. I am careful with data I expose to the internet. I don’t have a Facebook account (and never will trust this deceitful company) and limit other logins to business use.

Joe and Jane Average don’t have the skills I do (and I have been Pwned) so the warning to all readers it to take action now.

  • Change all passwords, email or otherwise on a regular basis
  • Never re-use passwords or use the same ‘root’
  • Use a combination of uppercase and lowercase letters, symbols, and numbers
  • Monitor your financial accounts and report any suspicious activity