Hackers have been gathering millions of usernames and passwords for the purpose of exploiting the information or selling it on the dark web. However, they’ve deviated from their typical behavior after the latest major breach.
A collection of 2.2 billion unique usernames and associated passwords is being handed out for free on hacker forums and torrents, after a hack called Collection #1, according to Wired.
Troy Hunt, a security researcher said, “the patched-together set of breached databases represents 773 million unique usernames and passwords,” Wired stated.
While that database was obtained by Hunt in early January, more have now been added.
If you thought the leak of 773 million emails and passwords from earlier this month was bad, try 2.2 billion. https://t.co/xWd4lBJHkW
— WIRED (@WIRED) January 30, 2019
The new compilation, named Collections #2–5, represent “845 gigabytes of stolen data and 25 billion records,” making it triple the size of the first collection, analysts at the Hasso Plattner Institute in Potsdam, Germany said.
Chris Rouland, founder of the IoT security firm Phosphorus.io, said, “This is the biggest collection of breaches we’ve ever seen. It’s an unprecedented amount of information and credentials that will eventually get out into the public domain.”
He added the collection has already circulated widely among the hacker underground. He downloaded a tracker file which had already been downloaded more than 1,000 times with more than 130 people “seeding” the file.
The majority of the new data is from prior leaks, including those from Yahoo, LinkedIn, and Dropbox.
“For the internet as a whole, this is still very impactful,” Rouland said.
Researchers worry that inexperienced hackers may get their hands on usernames and passwords that could be on public internet sites and use the information for a practice called credential stuffing.
David Jaeger, a researcher at Hasso Plattner Institute who analyzed the collections, said, “Probably the skilled hackers, the guys really interested in getting money from this, had it for multiple years already. After some time, they’ve tried all these on the major services, so it doesn’t make sense to keep them any longer, they sell it for a small amount of money.”
Jaeger added, “Below a certain price, hackers often barter the information for other data, spreading it further and devaluing it until it’s practically free. But it could still be used for smaller scale hacking, such as breaking into social media accounts, or cracking lesser-known sites. Maybe it’s worthless for the people who originally created these data dumps, but for random hackers it can still be used for many services.”
Following his publishing of Collection #1, Hunt said many people reached out to him saying they would send him the links to the remaining collections.
He said, “What this represents that’s unprecedented is the volume of data and the extent it’s circulating in big public channels. It’s not the world’s biggest hack, it’s the fact that it’s circulating with an unprecedented fluidity.”
“When enough people have secret data, someone shares it. It’s entropy. When the data is out there, it’s going to leak,” Rouland said.