While security expert Troy Hunt disclosed a massive 773 million username-password leak earlier in January, it appears that this huge breach is now followed by another colossal data spill.
After sifting through 845 GB of data with 25 billion records, experts at the Hasso Plattner Institute in Potsdam, Germany found that it totalled 2.2 billion unique entities. Dubbed as Collection #2-5, all of these data leaks seem to draw from earlier breaches of Yahoo, LinkedIn, and Dropbox.
Researcher David Jaeger from the institute suggests that a part of the breached data came from automated hacking of smaller websites. “Probably the skilled hackers, the guys really interested in getting money from this, had it for multiple years already, After some time, they've tried all these on the major services, so it doesn’t make sense to keep them any longer, they sell it for a small amount of money." speculated Jaeger.
Even worse, this might lure script kiddies to simply try experimenting with leaked credentials to get into accounts. In his analysis, Chris Rouland, the founder of security firm Phosphorous.io, told WIRED that these leaked credentials were spread by around 130 people on torrent websites. “It's an unprecedented amount of information and credentials that will eventually get out into the public domain,” said Rouland.
Moreover, Rouland suggests that the data may have been partially collated from older breaches and were probably on sale.
Publisher