‘Mother of all breaches’ leaks 26 billion stolen records

A massive data leak of over 26 billion records from sites including the likes of X (formerly Twitter), Dropbox, and LinkedIn has been named the “mother of all breaches” by experts.

The attack — which was discovered by researcher Bob Diachenko of securitydiscovery.com, as revealed by Cyber News — appears to have effected more than 26 billion personally identifiable bits of information, with some of the biggest websites in the world falling victim.

China’s social media giant Tencent is reportedly the largest victim, with 1.5 billion records leaked from its social media and gaming platforms, while 360 million leaked from MySpace, and 281 million from X.

Many governments — including the US, Brazil, Germany, the Philippines, and Turkey — have also fallen victim.

Though it is unclear who is responsible for the hack, researches believe it could be a malicious actor, data broker, or service that works with large amounts of data, and it was not a singular new breach, but a collection of earlier breaches.

2024 Informed: Ten cyber security trends

“The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorised access to personal and sensitive accounts,” the researchers said.

It added that while it identified 12TB (terabytes) of records, duplicates are highly likely. However, the data is much more sensitive than just credentials, and valuable for malicious actors.

“Malicious actors are able to leverage these breached credentials at scale to conduct credential-stuffing attacks against other services and company accounts in an attempt to gain access to additional systems via reused passwords,” adds Christian Scott, COO and CISO of Gotham Security.

“This information allows malicious actors to infer commonly used passwords by staff at an organisation to perform curated password spraying attacks,” Scott added.

“This underscores the importance for staff not to leverage reuse passwords, employ long passphrases, change compromised passwords, and implement multi-factor authentication in as may places as possible.”

How to avoid data leaks in your organisation

While large organisations took the biggest hit in the Mother of all Breaches, dozens of small firms were also identified in the leak.

Scott advises companies that do not yet have a robust corporate password management solution in place with automatic credential break and leaking monitoring to utilise ‘HaveIBeenPwned’s free domain search tool to discover if they have been victim of any kind of data leak.

“Additionally, organisations shouldn’t consider multi-factor authentication as a fool-proof strategy for preventing staff from being compromised,” he adds.

“It’s important to implement features like Impossible Travel Detection (identifying if a login has taken place in an unusual location), Device-based Conditional Access Policies (using another, trusted device to gain access), and Additional Login Context with reverse number matching,” Scott adds.

Lastly employees need to consider their personal security posture: “Attacking individuals to get a foothold into a greater organisation is a standard technique employed by malicious actors.”