A second, massive Collections leak of 2.2 billion email addresses probably has your information

Changing your password, enabling two-factor authentication, and even using a password manager are essential responses to the new "Collections #2-#5" leak.
  • Mark Hachman (PC World (US online))
  • 01 February, 2019 09:47

Like a bad movie, the sequel to the “Collections” data breach—Collections #2-#5— have snared an estimated 2.19 billion email addresses and passwords, far more than the original leak.

Researchers at the Hasso Plattner Institute have reportedly discovered that that 611 million of the credentials in Collections #2–5 weren’t included in the Collection #1 database. That brings the total to 2.19 billion, though its not clear whether some of this information may have been circulated elsewhere, according to

What’s clear, though, is that with over 2 billion email addresses and passwords on the loose, it’s almost certain that one of yours may be in the hands of potential attackers. (A private email I hardly ever share escaped being exposed, but a more public email address I’ve used appeared in a number of different databases.)

What can you do?

Though researcher Troy Hunt, the owner of the HaveIBeenPwned website, has added the previous “Collection #1” database, the remaining “Collections” have yet to be added. The Hasso Plattner Institute has its own Identity Leak Checker, however, which has added the database. The Identity Leak Checker asks for your email (nothing more), then uses that email to generate a list of information that’s out in the wild, including your name, IP address, and password, if applicable.

What the Identity Leak Checker can do is tell you if a password has been matched to your email address. What it can’t tell you is how recent that password actually is. It’s probably a good idea to change an affected email address password again—yes, again—to something unique. 

If it’s available, you should also make sure that two-factor authentication is turned on, especially for email addresses that can potentially be exploited to obtain information from other sites that you have access to. Two-factor authentication isn’t foolproof, but it provides another layer of security. An even surer way to secure your personal information is with a password manager, which can automatically generate unique, secure passwords for the services you use.