On Tuesday, February 2, it was leaked on a popular hacking forum. It contains billions of user credentials from past leaks from Netflix, LinkedIn, Exploit.in, Bitcoin and more. This leak is comparable to the Breach Compilation of 2017, in which 1.4 billion credentials were leaked.
In December 2016, a huge list of email address and password pairs appeared in a "combo list" referred to as "Anti Public". The list contained 458 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for "credential stuffing", that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password.
The Collection #5 data breach is part of a larger series of data dumps, including Collections #1 through #5, which compiled email addresses and passwords from thousands of sources, from previously known data breaches and some new alleged breaches. Collection #1 alone contained about 2.7 billion records, including 1.2 billion unique email and password combinations, 773 million unique email addresses, and 21 million unique plaintext passwords. Additional collections, named Collections #2 through #5, along with "AP MYR&ZABUGOR #2" and "ANTIPUBLIC #1," were also discovered, significantly adding to the scope of compromised data.
In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.