Hacker typing password on laptop showing data leak

“Mother of All Breaches” Data Leak Pulls Together 26 Billion Records From Thousands of Prior Breaches

In recent months, the appearance of the massive “Naz.API” dataset in public circulation raised fears of a monster “combo file” that would pull together searchable information from all prior data leaks. It now appears that the “Mother of All Breaches” (MOAB) already exists, discovered by security researchers in an internet-facing open instance kept by an unknown party.

The 1.2 terabyte file is broken up into over 3,800 folders, each one representing a prior data leak that saw personal information or credentials make their way to the open internet. In total there are over 26 billion records. Because of the massive amount of information present, it is not yet entirely clear if the MOAB has never-seen-before data in its stores.

Centralized data leak collection was inevitable

The discovery comes from security researcher Bob Dyachenko of SecurityDiscovery.com and Cybernews, which is hosting a searchable list of the included breaches at its website.

However, it’s safe to assume that if a data leak took place in roughly the last 10 or 15 years you will find at least some of its contents in the MOAB. The sprawling archive contains an apparent combination of breaches of Tencent’s services that totals about 1.5 billion records, the 538 million Weibo leak that appeared on dark web forums in 2020, the 2016 leak of 316 million older Myspace passwords, the early 2023 leak of 281 million Twitter email addresses, and 251 million records from one of LinkedIn’s wave of breaches, among many other examples.

“Combo files” that bring these sorts of data leaks together for criminal convenience are nothing new, dating back to the appearance of the “Collection” files on the dark web in 2019 (if not before). This is by far the largest one yet encountered, however, at almost 10 times the size of the prior record-holder.

It was inevitable that someone would try to create a massive compendium of all of this illicit data floating around, but it remains unknown who was paying for the storage space for all of this and what their purpose was for it. The file does not appear to have been advertised on dark web forums or the usual gathering places for cyber criminals, but given that it was open to the internet it is unknown who else has accessed it.

Tamara Kirchleitner, Senior Intelligence Operations Analyst at Centripetal, notes that cyber criminals will necessarily become more organized as more pressure is applied to them: “Personal data can remain vulnerable for years, highlighting the need for continuous monitoring and updating of security protocols. Additionally, this event highlights the evolving nature of cyber threats. Cybercriminals are becoming more sophisticated, taking advantage of advanced techniques to aggregate and analyze data from multiple sources. This calls for a proactive approach to cybersecurity, where strategies and defenses are regularly reviewed and updated in response to the ever-evolving threats. Finally, it’s crucial for organizations to prioritize data protection and invest in comprehensive cybersecurity strategies. This includes awareness training, secure password managers, security audits, robust encryption, and incident response plans. Collaboration and information sharing between cybersecurity experts are also crucial in combating large-scale cyber threats.”

Growing data leak availability makes case for MFA, password managers

The complete impact of the MOAB data leak is still being assessed, and the number of unique records will likely come down as security researchers comb through it and find duplicate credentials or personal information entries. But as Naz.API demonstrated, it may also contain previously non-public stolen data. And in total, it will still likely stand as the biggest release of stolen digital information by far.

At minimum, the collection likely means a near-term surge in credential stuffing attacks. Unlike the usual breach disclosure, the involved party here is likely a threat actor or data broker. It remains to be seen if the news will cause them to cut off access. If they do not, other threat actors will almost certainly follow the tracks (likely with something as simple as judicious use of SHODAN) to also obtain it. It may have already been found in this way prior to the public disclosure.

The lone silver lining thus far appears to be that new information has not been found. The included data leaks have already gone public, some over a decade ago. But convenience will always attract more threat actors and perhaps entice them to pursue smaller targets they wouldn’t have otherwise bothered with.

Doriel Abrahams, Principal Technologist for Forter, expands on the dangers that these mega-files present: “Although the common assumption with this leak is there’s nothing ‘new,’ this COMB is extremely beneficial for bad actors. Since they can leverage this data to validate whether users have similar or identical passwords across multiple platforms, they can attempt ATOs on other sites not part of the current leak. Knowing which platforms users frequent is a superpower for social engineering scammers. They can be more targeted and, ultimately, effective. While companies can always double down on information security, consumers should take this time to do their due diligence on the companies that have access to their data. To prevent ATO, consumers should ensure they’re using different passwords for each site. Ideally the passwords are completely different but even swapping out a character or two can make it a lot more difficult for bad actors. And always be vigilant when asked for information via email or phone.”

And while a minority of the MOAB data leak entries contain plaintext passwords, Tony Anscombe (Global Security Evangelist at ESET) notes that convenient compilations of contact and personal information also mean an inevitable uptick in crime attempts: “We should never underestimate what cybercriminals can achieve even with such limited information. Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response. This includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication. Many systems share platforms and are aggressively attempted with the latest attacks. Lots of networks rely heavily on updates, but when a vulnerability is located, it is a race against time to patch the issue before the data is compromised. Alternatively, attackers can often target a system and remain under the radar in stealth mode, monitoring activity and deciding on what and when to pounce.”

Attempts of this sort will continue as long as password re-use remains common, and password reuse will remain common as long as people are expected to juggle an average of about 100 login credentials to navigate their modern life. Very recent studies present disheartening numbers: about 60% of people can still be expected to reuse passwords, around 15% will use one password for absolutely everything they do online, and even the majority of IT professionals will email a password in plaintext on occasion. Annual “Top 10” lists of most-used passwords also continue to be strewn with “123” variations and the words “qwerty” and “password” modified just enough to meet website character requirements.