And you thought last week’s Naz.API leak was massive? You ain’t seen nothin’ yet: “MOAB” is 25 times the size. And it’s not just stolen credentials, either.
But is this week’s PII data lake really the “mother of all breaches”? Or is it merely a compilation of older stuff?
Volodymyr “Bob” Diachenko (pictured) led the research team. In today’s SB Blogwatch, we sift fact from clickbait.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Gary.
What’s the craic? Vilius Petkauskas broke the story—“Mother of all breaches reveals 26 billion records”:
“Far more information”
There are data leaks, and then there’s this: A supermassive Mother of all Breaches. [It] contains data from numerous previous breaches, comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records. … The leak’s scale is of yet-unseen proportions.
The leak, which contains LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data, is almost certainly the largest ever discovered: … Billions upon billions of exposed records on an open instance whose owner is unlikely ever to be identified. … While the leaked dataset contains mostly information from past data breaches, [there’s] a very high probability the MOAB contains never seen before information.
…
[It] contains far more information than just credentials — most of the exposed data is sensitive and, therefore, valuable for malicious actors. … The leak also includes records of various government organizations in the US, Brazil, Germany, Philippines, Turkey, and other countries.
Time to freak out? Amanda Yeo says no—“Don’t freak out: You’ve probably been impacted, but it isn’t as bad as it sounds”:
“It’s a good reminder”
This is undoubtedly bad news. It’s never good to have your personal data left exposed online, where anyone can find and utilize it for nefarious purposes. However, … if you’ve kept up to date on your security, you should have little more to fear than you did yesterday.
…
Even so, this doesn’t mean you should be complacent. … It’s a good reminder to refresh your security hygiene. … You can use tools such as Have I Been Pwned or Cybernews’ data leak checker to find out whether you’ve been the victim of a data breach. And if you haven’t already, consider using a password manager [which] will make using unique passwords for all your accounts a lot easier.
Horse’s mouth? Volodymyr “Bob” Diachenko:
Every single data breach ever reported or sold was carefully collected by an unknown actor and left in a misconfigured instance. I’d say it is even bigger than … HIBP.
Size aside, it’s yet another breach. hdlothia just sighs:
The people who calculate that it’s more cost effective to deal with the hit from a security breach—vs. spending money on good security—have won. I have gone from feeling outraged to completely numb to these kind of disclosures, and have pretty much just assumed that my information will inevitably be leaked.
…
Does anyone else feel this way? I just keep a close eye on my financial statements and hope for the best.
Keep calm and carry on? Here’s u/TheRatingsAgency:
Ahh joy. … The future is now: Massive data breaches, zero accountability. … Oh, but it’s the users fault for not changing that password—right, 23andMe?
Wait. Pause. Is 26 billion a big number? croes does the math:
8 billion people on Earth, 26 billion records: More than 3 per person.
What should we do about it? Heed u/fishfighter85’s analysis:
The bad thing about this breach is it contains [many] past breaches in one spot. You can cross reference every breach for email addresses and see what passwords are being used. If you find that the passwords are … the same, you can perform a stuffing attack and use that information on every known website to see if it works. Boom.
…
Change your passwords.
And use 2FA. godelski just laughs:
It is an absolute joke that my GitHub account is more secure than any banking service I use. How is it that the only 2FA they offer is text message? A method that’s been known to be terrible for over a decade now. Where are my OTPs? They give me apps on my phone, why not push verification there?
…
Sure, I get that you still got to service grandma and grandpa, but at least give me something. … Something is very wrong: … Dinky little websites implement better security than most baking services.
Mother? u/PassionFruitJam prefers NOW:
I get that having access to all this historic leaked data in a single place makes it convenient for those that want to try and easily reuse it etc. But it’s not really the MOAB is it?
…
Not saying it’s not an interesting story, but the headlines claiming a ‘data leak of 26 billion credentials’ … are basically clickbait. [It’s] like counting a ‘Now That’s What I Call Music’ album as ‘the greatest album of all time.’
Meanwhile, I wonder what altacc’s first thought was?
My first thought was, “Is this Troy Hunt’s hard drive?”
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Recent Articles By Author