Is someone spying on you? Check your email now

Old hacks strike again: Data from 2.2B accounts lands on the dark web

More than 600 gigabytes of hacked accounts from years ago have been compiled and are free to download.

Billions of hacked passwords and usernames from the last decade have come together in a convenient download for anyone who can find it on the dark web.

More than 2.2 billion usernames and passwords have been compiled and laid out for hackers to use, according to researchers from the Hasso Plattner Institute in Germany.

The compiled data doesn’t come from any fresh breaches: Much of the information was accumulated in hacks like LinkedIn’s 100 million breached accounts and Dropbox’s 68 million stolen credentials, both of which happened in 2012. While this stolen data has been available for years, the massive collection conveniently puts it all in one download for people to use.

Researchers are referring to all that as Collection #2 through Collection #5, and it’s one of the largest compilations of stolen credentials in history. It follows the 773 million email addresses released in Collection #1 earlier in January.  

Data breaches are a painful reality of the digital era, with billions of people’s personal and confidential information at stake. That’s drawn the attention of lawmakers, who are considering ways to punish multimillion-dollar companies that can’t protect people’s private data.

Compiling data from old breaches could be a startling new trend for cybercriminals, said Emily Wilson, vice president of research at security firm Terbium Labs.

“Data from thousands of breaches, big and small, is floating around on the dark web on any given day,” she said. “There’s nothing stopping an enterprising criminal from gathering the data together, packaging it and remarketing it — especially when they can turn a profit.”

In the first collection, stolen credentials come from breaches as far back as 2008, sourced from more than 2,000 different hacked websites. The rest of the set, which weighs in at more than 600GB, includes data from hacks that hit MySpace and Adobe in 2013.   

Stolen credentials, especially on this scale, can be extremely valuable, but they’ve popped up for free on the dark web and hacker forums over the last month. Some entrepreneurial hackers have chosen to charge for the stolen data, despite its age.

“These collections contain enough credential sets that some percentage are bound to still be valid, and they’re directly in the line of sight for the criminal community,” Wilson said. “Even accounts that have since undergone a password change are still at risk: email addresses are appetizing targets for phishing attacks, and regular password reuse across multiple platforms means that even if the exposed account has undergone a password change, there may be plenty of other accounts still using that same compromised password.”

While the stolen information is old, hackers are betting that a small percentage of people in the data dump never changed their credentials, or are still using the same passwords years later.

If even just one-tenth of 1 percent of people in the massive leak still use the same passwords, that’s 2.2 million accounts that hackers could potentially access. Considering that 45 percent of people would keep the same password after a breach, according to a LastPass survey, the odds are in the attackers’ favor.

The massive amount of stolen data is most useful for credential stuffing, a technique in which bots flood multiple services with the same set of login information as quickly as possible.

If someone uses the same username and password for their hacked account on LinkedIn that they do for their bank accounts, for example, it could be an opening for credential stuffers to exploit.

You can check if you were affected by the massive data set with the HPI’s search tool. Even if you weren’t affected, you should consider changing your outdated passwords, or using a password manager.


With the HPI Identity Leak Checker, it is possible to check whether your email address, along with other personal data (e.g. telephone number, date of birth or address), has been made public on the Internet where it can be misused for malicious purposes.


Finansiële Nuus

News24 Business | Personal Finance | Could advisers be held liable for Ponzi losses?

A long road ahead for investors looking to lodge a claim, writes Maya Fisher-French. [Read More]

News24 Business | ANALYSIS | Living annuities versus life annuities

At retirement, you have to buy either a life annuity, a living annuity, or a blend of both. So, which one is the most suitable option to ensure a comfortable post-retirement lifestyle, asks Arisha Jivan. [Read More]

News24 Business | EXPLAINER | SARS is cracking down on late taxpayers. Here's what you need to know about penalties

The deadline for individual tax returns is Monday 23 October, unless you are a provisional taxpayer. Laura du Preez explains. [Read More]

News24 Business | Personal Finance | More hailstorms on the horizon: Weather proof your home, warns insurer

Santam has issued a warning that as climate patterns shift, frequency and severity of hailstorms is likely to increase. [Read More]

News24 Business | Black tax: Experts weigh in on how to do it right - and build future wealth too

If they don't manage their money well, young professionals risk running into debt or impacting their future generational wealth, experts warn. [Read More]

Business Tech

There are currently 11 billionaires across the world who were born in South Africa - six of them even still live here.
The Eyethu Theatre, located in Mofolo, Soweto, is an iconic venue that has recently been transformed into a contemporary community hub while still trying to preserve its rich local legacy.
PPI has increased - but businesses have to be weary of increasing their prices.
Eskom will be load shedding at various levels over the coming weekend - hitting a peak of stage 5, and eventually hoping to suspend outages.
Political parties have declared their donations for the second quarter of the year - with the Democratic Alliance coming out on top with some big-name support.