‘Mother of All Breaches’: 26 BILLION Records Leaked

Expert insight from Leon Teale into the implications of this historic data breach

The security researcher Bob Diachenko and investigators from Cybernews have discovered an open instance with more than 26 billion data records, mostly compiled from previous breaches – although it likely also includes new data.

Organisations associated with these data records include:

  • Tencent QQ – 1.4 billion records;
  • Weibo – 504 million records;
  • Myspace – 360 million records;
  • X/Twitter – 281 million records;
  • Deezer – 258 million records;
  • LinkedIn – 251 million records;
  • AdultFriendFinder – 220 million records;
  • Adobe – 153 million records;
  • Canva – 143 million records;
  • VK – 101 million records;
  • Dailymotion – 86 million records;
  • Dropbox – 69 million records;
  • Telegram – 41 million records; and
  • Various public bodies, including in Brazil, Germany, the Philippines, Turkey and the US.

The data is more than mere credentials, too – according to Cybernews, most of the exposed data is sensitive.

Given the extraordinary scale of the data breach, it’s been dubbed the ‘MOAB’ (mother of all breaches). In total, 3,876 domain names were included in the exposed data set.

Leon Teale is a senior penetration tester at IT Governance with more than ten years’ experience performing penetration tests for clients in various industries all over the world. Leon has also won hackathon events in the UK and internationally, and is accredited for multiple bug bounties.

We sat down with him to find out more about the implications of this historic data breach in this special edition of Expert Insight.

Thank you so much for your time again! What do you make of this breach? Are you surprised by its scale?

Unfortunately, this new mega breach didn’t really surprise me. I’d almost say that I was expecting it.

Once in a while, we seem to hear of yet another massive data leak, each even bigger than the last. This also makes sense – as user bases only get larger, it stands to reason that data leaks will too.

These types of leak used to be coined ‘COMB’, which stands for ‘compilation of many breaches’. This one has been dubbed ‘MOAB’, but isn’t fundamentally different to these COMBs.

For instance, last year, we saw a massive 3.8 billion records breached at DarkBeam. In 2021, we saw a leak of 3.27 billion records. But I must admit: 26 billion is taking things to another level.

Yes, in 2023, across the full year, we ‘only’ found 8.2 billion records breached. But are these breaches really as bad as they seem? Surely a data set of this size contains a lot of duplicates or old records?

Oh yes, no doubt – the research team that discovered this MOAB specifically mentioned that duplicates were highly likely with the size of this data set. Nevertheless, even if, say, 10% of these records are unique, you’d still be looking at 2.6 billion records breached – an extraordinary amount that clearly impacts a lot of people.

The fact that many of those records may have been breached a long time ago doesn’t really help matters. Data leaks from years ago are still being used today to compromise accounts, telling us that many people don’t change their password after a breach, or even at some regular frequency.

In my work as a penetration tester, I scour for leaks like this. I search for clients’ corporate email addresses to find associated credentials and often discover them to be valid on their corporate systems. This process can be surprisingly fast: in a database of more than 3 billion records, a specific email can return instant results. If I supply a wildcard [e.g. @organisationname.co.uk], it can take 10–20 minutes to finish searching.*

Either way, I can find those associated credentials even though the leaks aren’t from that specific organisation. But the credentials work anyway because people have terrible password habits, either using the same password for different accounts, or using obvious password variations like ‘Summer2022’, ‘Summer2023’, etc.

*Note: This time can be drastically reduced if the computer’s processing power is increased.

In my research work for IT Governance, I’ve noticed a pattern where the same names repeatedly crop up. For instance, I’ve logged ‘Microsoft’ four times in the past three months. Presumably, this isn’t a coincidence?

I’ve observed certain organisations getting breached more often than others, too. Especially third-party organisations – so IT service providers and software companies, such as Microsoft, but also LinkedIn and other platforms, which are, of course, included in this MOAB.

My best guess is that these are more lucrative targets to criminals. This is from a direct perspective – to enable a supply chain attack, for example – but also because of poor password habits. Mind you, criminals would probably be more interested in targeting, say, LinkedIn than Instagram, because this is more likely to give them access to work-related accounts and, by extension, big corporate databases.

So, even old credentials are useful to organisations because they could still be valid today. But, allegedly, the MOAB mostly includes sensitive data.

Yes, and having sensitive data leaked poses an even bigger risk than a credential leak, as it can include medical records, which often remain valid even when years or even decades old.

But whatever the nature of the personal data, it can all lead to identity theft, financial fraud and reputational damage. Even if the information is outdated, it can be used in social engineering attacks, or even for blackmailing opportunities, especially in the case of medical information.

You’d think that organisations that hold such sensitive data would make more of an effort to secure it!

Quite. Organisations should always have the mindset that a breach is inevitable. This forces them to take security and mitigation seriously.

Things such as encrypting databases containing usernames and passwords, never mind sensitive information, are paramount. That way, if they’re leaked, even if only by accident, the plaintext passwords aren’t easily accessible without significant resource to try to crack the encryption.

What else can organisations do to protect themselves?

For starters, user accounts should have MFA [multifactor authentication] enabled where possible – not just at work, but also at home. Although this won’t prevent criminal hackers from getting your password, it’ll help stop them from accessing your account.

It’s also important to not reuse passwords, and choose a strong password to begin with. Better still: use a passphrase rather than a password by, for example, using the ‘three random words’ technique.

Organisations should educate staff on such best practices through, for example, staff awareness training. They should also consider allowing the use of password managers, so staff only have to remember one strong password. This encourages them to use unique and secure passwords for all their accounts.

Where organisations want to go the extra mile, they can also consider implementing a best-practice standard such as Cyber Essentials or ISO 27001. Naturally, given my profession, I also strongly encourage penetration testing! This is an excellent way of getting insight into the specific risks that affect your organisation. We always deliver a detailed report to clients after we’ve finished the tests, which outlines the risks by business priority and provides remediation advice.

External Infrastructure Penetration Test

To benefit from expert insight such as Leon’s into your organisation’s external infrastructure, why not book an External Infrastructure Penetration Test?

  • Mitigate the threat from opportunistic and targeted attacks with our advanced testing techniques.
  • Identify vulnerabilities within your public-facing infrastructure and act promptly with our prioritised action plan and remediation guidance.
  • Work with one of the leading penetration testing companies in the UK, offering one-to-one expert advice at any stage of the engagement.

We hope you enjoyed this special edition of our ‘Expert Insight’ series. We’ll be back on Friday, as usual, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where DQM GRC’s head of consultancy, Louise Brooks, gave us her expert insights into how you can meet the cookie rules without compromising your business objectives.