‘Mother of all data breaches’ sees 16b passwords exposed,
Cybersecurity researchers have uncovered what they are calling the ‘mother of all breaches.’
They discovered a massive collection of 30 databases containing more than 16 billion individual records, including passwords, for government accounts, Apple, Google, Facebook, Telegram and more websites.
Some of the datasets had vague names like ‘logins’ or ‘credentials,’ which made it hard for the team to figure out exactly what they contained.
Others, however, gave clues about where the data came from.
According to the researchers, the records were most likely compiled by cybercriminals using various infostealing malware, though they noted that some data may also have been collected by so-called ‘white hat’ hackers.
The team at Cybernews, which found the records, said the information available to the wider internet was only briefly, before being locked down, but it is not possible to determine who owned the databases.
With more than 5.5 billion people worldwide using the internet, researchers warned that a staggering number of individuals likely had at least some of their accounts compromised.
They are now urging users across the globe to change their passwords immediately to protect their data from falling into the hands of cybercriminals.
‘The inclusion of both old and recent infostealer logs makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,’ the researchers said.
Cybernews noted that its researchers identified a database of 184 million records that was previously uncovered in May, found by data breach hunter and security researcher Jeremiah Fowler.
‘It barely scratches the top 20 of what the team discovered,’ Cybernews explained.
‘Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.’
The database of 184 million records not only contained secure login data for millions of private citizens, but also had stolen account information connected to multiple governments around the world.
While looking at a small sample of 10,000 of these stolen accounts, Fowler found 220 email addresses with .gov domains, linking them to more than 29 countries, including the US, UK, Australia, Canada, China, India, Israel, and Saudi Arabia.
‘This is probably one of the weirdest ones I’ve found in many years,’ Fowler told WIRED.
‘As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list,’ the cybersecurity expert continued.
In total, Fowler discovered 47 gigabytes of data with sensitive information for accounts on various sites, including Instagram, Microsoft, Netflix, PayPal, Roblox, and Discord.
The best action to take right now is to change your passwords if you use any of these platforms and also activate Two-Factor Authentication, which adds another layer of security to logging in by sending a secure code to your phone or email.
The unprotected database was managed by World Host Group, a web hosting and domain name provider founded in 2019.
It operates over 20 brands globally, offering cloud hosting, domain services, and technical support for businesses of all sizes.
Once Fowler confirmed that the exposed information was genuine, he reported the breach to World Host Group, which shut down access to the database.
Seb de Lemos, CEO of World Host Group, told WIRED: ‘It appears a fraudulent user signed up and uploaded illegal content to their server.’
Fowler said ‘the only thing that makes sense’ is that the breach was the work of a cybercriminal because there’s no other way to gain that much access to information from so many servers around the world.
The cybersecurity expert warned that this particular breach also poses a major national security risk.
Exploiting government email accounts could allow hackers and foreign agents access to sensitive or even top-secret systems.
The stolen data could also be used as part of a larger phishing campaign, using one person’s hacked account to gain private information from other potential victims.
