“Mother of All Breaches” Unlikely to Contain New Data


A new 12TB database of 26 billion records has been found exposed online by security researchers, although its contents were pieced together from previous breaches.

Described as “the mother of all breaches” by Cybernews, the haul was discovered by it and noted security researcher Bob Diachenko on a publicly available instance with no authentication required for access.

Among the records leaked in the trove are 1.5 billion belonging to Tencent customers and 500 million from Chinese Twitter-like site Weibo, alongside MySpace (360 million), Twitter (281 million), LinkedIn (251 million), Adobe (153 million) and many more.

However, it’s unlikely that any previously undiscovered breaches have been made public in the leak.

“Every single data breach ever reported or sold was carefully collected by an unknown actor and left in a misconfigured instance,” clarified Diachenko.

There are also likely to be a sizeable number of duplicates in there.

However, while it’s unclear how many of the records are password/email combinations, the find could prompt a renewed wave of credential stuffing attacks.

ESET global cybersecurity advisor, Jake Moore, urged users to remember best practice cyber-hygiene to keep accounts secure.

“We should never underestimate what cybercriminals can achieve with such limited information. Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response,” he said.

“This includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication.”

Read more on mega-breaches: Password Reuse at 60% as 1.5 Billion Combos Discovered Online

A more impactful discovery was arguably made last week, when breach notification site HaveIBeenPwned (HIBP) published a massive collection of username/password pairs, known as the “Naz.API” list. This data was obtained from info-stealing malware and credential stuffing lists from previous breaches.

Hunt identified 71 million unique email addresses in the haul and warned that a third of them are not listed in HIBP, meaning it’s a “significant volume of new data” which could be used subsequently to access users’ accounts.





Source link