Collection #1 data leak part of a bigger cache of compromised email addresses, claims Brian Krebs
Four terabyte data dump also being sold by online seller behind Collection #1
Collection #1, the data breach brought to light yesterday by security researcher Troy Hunt, is just part of a much larger collection of email addresses and passwords being hawked online.
That's according to security journalist Brian Krebs, who claims that the 87GB leak represents less than one-tenth of the compromised data being sold by the online seller responsible for Collection #1.
Krebs contact the seller, who would appear to be Russian, directly over the secure messaging app Telegram, on which he goes by the user name 'Sanixer'.
Krebs claims that while the seller has been offering more than 993GB of personal data online, split-up into seven separate collections, a package totalling more than four terabytes is also available containing user names and password spilled only over the past year.
"Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his ‘freshest' offering. Rather, he sort of steered me away from that archive, suggesting that - unlike most of his other wares - Collection #1 was at least two-to-three years old.
"His other password packages [not available via his website] total more than four terabytes in size [and] are less than a year old, Sanixer explained. By way of explaining the provenance of Collection #1, Sanixer said it was a mix of ‘dumps and leaked bases'," wrote Krebs.
Like Collection #1 this larger tranche of compromised personal data is also stored on Mega.co.nz.
Krebs has advises that people use long, unique passwords to secure accounts, and to use different passwords every time, rather than re-using passwords. Or, if that proves too difficult, to use a password manager.
Writing in response to a comment, Krebs warned that pretty much all personal data points have probably already been compromised - and are for sale somewhere.
"Reality #1: Bad guys already have access to personal data points that you may believe should be secret, but which nevertheless aren't, including your credit card information, Social Security number, mother's maiden name, date of birth, address, previous addresses, phone number, and yes, even your credit file.
"Reality #2: Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own."