A second, massive Collections leak of 2.2 billion email addresses probably has your information

Changing your password, enabling two-factor authentication, and even using a password manager are essential responses to the new "Collections #2-#5" leak.

Like a bad movie, the sequel to the “Collections” data breach—Collections #2-#5— have snared an estimated 2.19 billion email addresses and passwords, far more than the original leak.

Researchers at the Hasso Plattner Institute have reportedly discovered that that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 database. That brings the total to 2.19 billion, though its not clear whether some of this information may have been circulated elsewhere, according to heise.de

What’s clear, though, is that with over 2 billion email addresses and passwords on the loose, it’s almost certain that one of yours may be in the hands of potential attackers. (A private email I hardly ever share escaped being exposed, but a more public email address I’ve used appeared in a number of different databases.)

What can you do?

Though researcher Troy Hunt, the owner of the HaveIBeenPwned website, has added the previous “Collection #1” database, the remaining “Collections” have yet to be added. The Hasso Plattner Institute has its own Identity Leak Checker, however, which has added the database. The Identity Leak Checker asks for your email (nothing more), then uses that email to generate a list of information that’s out in the wild, including your name, IP address, and password, if applicable.

What the Identity Leak Checker can do is tell you if a password has been matched to your email address. What it can’t tell you is how recent that password actually is. It’s probably a good idea to change an affected email address password again—yes, again—to something unique. 

If it’s available, you should also make sure that two-factor authentication is turned on, especially for email addresses that can potentially be exploited to obtain information from other sites that you have access to. Two-factor authentication isn’t foolproof, but it provides another layer of security. An even surer way to secure your personal information is with a password manager, which can automatically generate unique, secure passwords for the services you use.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Mark Hachman

Mark Hachman

PC World (US online)
Show Comments

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?