iStock / iam-Citrus

On January 17, security researchers published details of the world's largest online dump of personal data. Collection #1 contained passwords and usernames relating to 772,904,991 individual email addresses. These were spread across 2,692,818,238 spreadsheet rows in 12,000 files. Then along came Collection #2-5.

The new Collection leak, which was first reported by Heise, contains 2.2 billion unique usernames and passwords. In total it contains 845GB of data and more than 25bn records.


There are almost three times as many unique records in Collection #2-5 as in Collection #1. It's a goldmine for hackers. The files have been analysed by security researchers at Germany's Hasso Plattner Institute and cybersecurity firm Phosphorus.io.

Chris Rouland, the founder of Phosphorus, told WIRED.com that more than 130 people were making the data available to download and there have been more than 1,000 downloads so far. This increases the scope for the information to be abused and the fact that there isn't only one copy of the information means it'll never be removed from the web.

Read next A data fail left banks and councils exposed by a quick Google search A data fail left banks and councils exposed by a quick Google search

Like Troy Hunt, who publicised the Collection #1 database and allows people to see if their details have been compromised through haveibeenpwned?, there's a way to check if your details are caught up in the later Collection files. Hasso Plattner runs an Info Leak Checker. This allows anyone to enter their email address and find out if their details are included in the huge database.

And chances are you're in there. The data checker has details from 8,165,169,702 accounts spanning 810 leaks. It'll not only tell you if your email and password have been compromised over the last decade but in addition, it'll give you details about other personal information, such as telephone number, date of birth, or address.


How to create a genuinely strong password for your digital life Privacy How to create a genuinely strong password for your digital life

While the details in the Collection dumps may not be new, they still pose a threat. Through credential stuffing, hackers are able to compromise accounts across the web that have use the same login details.

Earlier this month, video sharing platform Dailymotion has confirmed its users were being targeted with credential stuffing. "The attack consists in “guessing” the passwords of some Dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from websites unrelated to Dailymotion," the company said in a statement. Reddit has also prompted its users to reset passwords after it saw a rise in credential stuffing this month. Neither site has said the attacks are directly linked to Collection #1 or Collection #2-5.

Read next Cash machine hackers are getting better at stealing your money Cash machine hackers are getting better at stealing your money

As ever, the usual password advice applies. You should use a password manager to create and store secure passwords for all of your accounts. Never reuse passwords across different services: your Facebook password shouldn't be the same as your bank account.


And as it's likely that your details have been caught up somewhere in Collection #2-5, you should make sure you're using two-factor authentication wherever it's available.

More great stories from WIRED

– Why your standing desk isn't solving your sitting problem

– Our guide to the best WhatsApp alternatives

– What is the point of folding phones?


– The complicated truth about China's social credit system

– Your old router is a goldmine for hackers

Get the best of WIRED in your inbox every Saturday with the WIRED Weekender newsletter