Leak of 26 billion records may prove to be ‘mother of all breaches’

The discovery of 12TB (terabytes) of stolen personally identifiable information (PII) and credentials comprising 26 billion records relating to millions, possibly billions, of individuals, may prove to be the biggest leak in history, and is being dubbed the mother of all breaches (MOAB).

The dataset was discovered by researcher Bob Diachenko of SecurityDiscovery.com and Cybernews, and comprises information from social media platforms and online services around the world. The most records, 1.5 billion in total, appear to be from Chinese social media and gaming giant Tencent, with a further 504 million appearing from Tencent’s compatriots Weibo, 360 million from social media pioneer MySpace, and 281 million from X/Twitter.

Other heavily impacted online organisations include Adobe, Dropbox, LinkedIn, MyFitnessPal and Telegram, as well as many government bodies. The majority of organisations affected, however, are much smaller and less well-known. A full searchable index is available via Cybernews.

Much of the data appears to have been compiled from various smaller data by someone with an interest in doing so, possibly an initial access broker (IAB) who would then sell access to it to cyber criminals, the researchers said.

Taken together, the aggregated data – which does include a lot of duplicate information – could be used to conduct targeted identity theft, phishing schemes, cyber attacks and takeovers of victims’ online accounts.

The scope of the attack is particularly dangerous given a significant number of people continue to reuse usernames and credentials across multiple online services, putting all of them at risk of compromise.

“The potential consumer impact of the MOAB is unprecedented, with the researchers highlighting the risk of a tsunami of credential-stuffing attacks,” said Erfan Shadabi, cyber security expert at Comforte AG.

“We should never underestimate what cyber criminals can achieve with such limited information,” added Jake Moore, global cyber security advisor at Eset.

“After years of mishandling the data and trust of their customers, not one single company that contributed hundreds of millions of records to this massive dataset should insult those same customers by feigning shock at this development”

“Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response. This includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication.

“Many systems share platforms and are aggressively attempted with the latest attacks. Lots of networks rely heavily on updates, but when a vulnerability is located, it is a race against time to patch the issue before the data is compromised. Alternatively, attackers can often target a system and remain under the radar in stealth mode, monitoring activity and deciding on what and when to pounce.”

For the organisations involved, the scale of the breach also makes a particularly potent argument for investing in solutions that can safeguard sensitive information, including data-centric approaches to security, Shadabi told Computer Weekly in emailed comments.

“Tokenisation [is] emerging as a key solution,” he said. “By substituting distinct tokens for sensitive data, tokenisation makes the data unusable for unauthorised parties even in the event of a breach. This preventive action lessens the possibility of harm from unwanted access while strengthening data protection.”

Richard Bird, chief security officer at Traceable AI, had harsh words for the organisations from which the data was stolen.

“After years of mishandling the data and trust of their customers, not one single company on the list of several that contributed hundreds of millions of records to this massive dataset should insult those same customers by feigning shock at this development,” he said.

“While these companies have been claiming ‘but no credit card or banking information has been stolen’, the bad guys have been building a mega-list of private data that even the researchers are calling ‘extremely dangerous’. With the failed stewardship displayed by these and other companies, what did they think would happen with that data?

“So, the question remains, will a list like this prove massive enough to force companies and governments to get their heads out of the sand?”