Massive 26 Billion Record Leak: Dropbox, LinkedIn, Twitter All Named

Massive 26 Billion Record Leak: Dropbox, LinkedIn, Twitter All Named

26 Billion leaked data records have been found in one database online

getty

Security researchers have warned that a database containing no less than 26 billion leaked data records has been discovered. The supermassive data leak, or mother of all breaches as the researchers refer to it, is likely the biggest found to date.

01/23 updates below. This article was originally published on January 22.

Here’s What You Need To Know

According to researchers from Security Discovery and CyberNews, the newly discovered database of leaked data runs to 12 terabytes in size and deserves the MOAB title.

The research team thinks that the 26 billion record database, found on an open storage instance, will likely have been compiled by a malicious actor or data broker. “Threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” they say.

As well as data from Chinese messaging giant Tencent and social media outfit Weibo, records from users of platforms and services such as Twitter, Dropbox, LinkedIn, Adobe, Canva and Telegram is also to be found in this database. Worryingly, the researchers also say that records from an assortment of U.S. and other government organizations can be found.

MORE FROM FORBESGoogle Security Warning: First Hack Attack Of 2024-Update Chrome NowBy Davey Winder

If there is good news to be found in such a discovery, it is that little of this appears to be new data. Instead, the researchers say, it’s more a case of compiled records from thousands of previous breaches and data leaks. What’s more, there are undoubtedly a large number of duplicate data records within this compilation. The inclusion of usernames and password combinations does, however, still mean this is a cause for concern. I’d expect a surge, if current levels aren’t high enough, in credential stuffing attacks over the coming weeks as a result.

Here’s What You Need To Do

“We should never underestimate what cybercriminals can achieve with such limited information,” Jake Moore, global cybersecurity advisor at ESET, says. “Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response,” Moore continues, “this includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication.”

01/23 update: I have reached out to LinkedIn, Dropbox and Twitter/X for statements. Dropbox is dealing with my inquiry currently, Twitter/X sent a reply saying it was busy, but at least I didn’t get a poo emoji. A LinkedIn spokesperson told me: “We are working to fully investigate these claims and we have seen no evidence that LinkedIn’s systems were breached. You can find more information on how we keep members safe from scraping here. Meanwhile, several security experts have now commented on the implications of this database being out there.

Adam Pilton, cybersecurity consultant at CyberSmart: “This is a huge amount of data. In the physical world, 12 terabytes are equivalent to 15,600 filing cabinets. Individuals who believe they are affected should change their passwords. We must all assume, though, that some of our data is held in this data set; as such, we must take action to protect ourselves, too. Enabling two-factor authentication is a significant step in protecting ourselves against attacks that involve breached credentials.”

Josh Hickling, principal consultant at Pentest People: “I would expect over the coming days that people will be targeted with Phishing mail utilizing this breach to masquerade their agenda somewhat. This will likely come in the form of coercing users into divulging credentials for other applications/sites by instilling fear that their credentials have been discovered in this breach when they most likely haven’t. It is certainly a time to stay vigilant for signs of compromise and opportunistic email threats.”

Richard Bird, chief security officer of Traceable AI: “Maybe it finally takes something like a MOAB to get the U.S. Government and the companies that operate within its borders to wake the heck up. We live in a nation with no national data privacy laws, no incentives for companies to be protectors of the data that they are trusted with, and no disincentives that seem to work. A list like this will only create more victims who will have to sort out the damages done to them on their own, with no consequences for the companies that gave that data away in the first place.”

Although the data from this latest breach and leak compilation discovery has yet to be entered, you can use this free leak checker tool at CyberNews. This will reveal earlier instances where your email address has been leaked, including some of the services from the MOAB database. You can also use the free Have I Been Pwned service as well.

MORE FROM FORBESGmail 2024 Hack Attack Advice: Turn It Off And On Again, Google SaysBy Davey Winder

Above all else, though, don’t panic. If you maintain good credentials hygiene, using strong and unique passwords that are not reused elsewhere, as well as two-factor authentication where available, you should be safe. If you don’t, now is a great time to start.

Read More

Zaļā Josta - Reklāma