If you thought the May 23 announcement of a staggering 184 million compromised logins was scary, sit back. The largest data breach to date has just been confirmed - an almost unbelievable 16 billion compromised logins, including passwords, writes forbes.com.
Investigators suspect that the data leak that began earlier this year was the work of multiple information thieves. Here's what you need to know and do.
Compromising passwords is no joke; it compromises accounts and almost everything you hold dear in this tech-centric world we live in. Millions of stolen passwords are being sold.
That's why Google is urging billions of users to replace their passwords with much more secure access keys.
That's why the FBI is warning against clicking on links in SMS messages.
According to Vilius Petkauskas of Cybernews, whose experts have been investigating the leak since the beginning of the year, “30 data sets containing from tens of millions to over 3.5 billion records each“ have been found. In total, Petkauskas confirmed, the number of compromised records has now reached 16 billion. which is considered the largest such leak in history.
The 16 billion data leak, stored in a number of supermassive data sets, includes billions of logins from social media, VPNs, developer portals and user accounts for all major providers. Notably, none of these data sets have been reported as leaked before; they are all new data. The one exception is the 184 million password database mentioned at the beginning.
"This is not just a leak - it's a plan for mass exploitation," the investigators say. And they're right. These aren't just old breaches being recycled. This is new, large-scale intelligence that can be weaponized."
Most of this information is structured in the format of a URL followed by a login and password. The information contained, according to investigators, opens the door to “almost every online service you can imagine, from Apple, Facebook, and Google to GitHub, Telegram, and various government services.“
Darren Guccione, CEO and co-founder of Keeper Security, a privileged access management platform, believes that this password leak is a fitting reminder “how easy it is for sensitive data to be inadvertently exposed online“.
This may just be the tip of the biggest security iceberg waiting to break in the online world.
Just imagine how many exposed credentials, including passwords, are sitting in the cloud or, more precisely, in misconfigured cloud environments, waiting for someone to discover them.
If we're lucky, that someone will be a security professional who responsibly discloses the exposure to the owner or host; if not, then it will be a malicious player.
Who would you bet your money on?
“The fact that the credentials in question are of high value to widely used services carries with it long-term consequences,“ Guccione said, which is why it is more important than ever for users to invest in password management solutions and dark web monitoring tools. The latter can help by alerting users when their passwords have been exposed online, hopefully allowing them to take direct action and update their account logins if the password has been reused across services.
Organizations should not shy away from investment. They should consider adopting security models that provide privileged access controls to limit risk.
What happened shows that cybersecurity is not just a technical challenge, but a shared responsibility. “Organizations must play their part in protecting users,“ said Jawad Malik, lead security expert at KnowBe4, “and individuals must remain vigilant for any attempts to steal login credentials. Choose unique passwords and implement multi-factor authentication where possible.“
Change your account passwords, use a password manager, and switch to access keys where possible. Now is the time to take this seriously, don't wait until your passwords appear in these current leak datasets.
Take care of your password security now!