A second, massive Collections leak of 2.2 billion email addresses probably has your information

Changing your password, enabling two-factor authentication, and even using a password manager are essential responses to the new "Collections #2-#5" leak.

Like a bad movie, the sequel to the “Collections” data breach—Collections #2-#5— have snared an estimated 2.19 billion email addresses and passwords, far more than the original leak.

Researchers at the Hasso Plattner Institute have reportedly discovered that that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 database. That brings the total to 2.19 billion, though its not clear whether some of this information may have been circulated elsewhere, according to heise.de

What’s clear, though, is that with over 2 billion email addresses and passwords on the loose, it’s almost certain that one of yours may be in the hands of potential attackers. (A private email I hardly ever share escaped being exposed, but a more public email address I’ve used appeared in a number of different databases.)

What can you do?

Though researcher Troy Hunt, the owner of the HaveIBeenPwned website, has added the previous “Collection #1” database, the remaining “Collections” have yet to be added. The Hasso Plattner Institute has its own Identity Leak Checker, however, which has added the database. The Identity Leak Checker asks for your email (nothing more), then uses that email to generate a list of information that’s out in the wild, including your name, IP address, and password, if applicable.

What the Identity Leak Checker can do is tell you if a password has been matched to your email address. What it can’t tell you is how recent that password actually is. It’s probably a good idea to change an affected email address password again—yes, again—to something unique. 

If it’s available, you should also make sure that two-factor authentication is turned on, especially for email addresses that can potentially be exploited to obtain information from other sites that you have access to. Two-factor authentication isn’t foolproof, but it provides another layer of security. An even surer way to secure your personal information is with a password manager, which can automatically generate unique, secure passwords for the services you use.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Mark Hachman

Latest Videos

More videos

Blog Posts