Security Bloggers Network 
SBN

The Mother of All Breaches?

by Felipe Ruiz on January 25, 2024

Yeah,
that’s what some people are saying:
the “Mother of All Breaches” (MOAB).
What does that mean?
What happened?
The security researcher Volodymyr “Bob” Diachenko,
in collaboration with the Cybernews team,
recently discovered a massive data breach
with more than 26 billion records.
This is more than three times the number of human beings on Earth today.
But has this finding been properly named?

Let’s start by highlighting what has been discovered
in this gargantuan amount of data.
Researchers say it is mainly passwords and user data
from applications such as LinkedIn, Twitter/X, Wattpad, Evite, Adobe
and Weibo, among others.
But the first place among all of them goes to Tencent QQ,
a Chinese instant messaging software,
accounting for about 5.8% of the total “MOAB.”
This data breach also contains records of government agencies
from the U.S., Germany, Brazil, Turkey, and other countries.

What the research team specifically found in an “open instance”
was a judiciously organized database with nearly 4,000 folders
taking up around 12 terabytes.
The thing is that each folder contains records of a separate data breach,
many of which had already been reported previously.
So,
although it was the researchers who apparently dubbed it “MOAB,”
this finding looks more like a database of multiple data breaches.
The team even expressed that it is highly probable
that there are duplicates in that database
but that there seems to be new user data included anyway.
Nonetheless,
instead of saying the “mother of all data breaches,”
I think it is more appropriate to call it
“the largest compilation of multiple breaches,”
as curiously Cybernews later referred to it in its own publication.

OK,
but where did all that data come from?
When I first read about this discovery,
there was no criminal group providing information about its responsibility.
But today,
January 26,
Malwarebytes said in an updated post
that the source of the dataset was Leak-Lookup.
Believe it or not,
this is a data breach search engine that
“allows you to search across thousands of data breaches
to stay on top of credentials that may have been compromised.”
And precisely,
Leak-Lookup shows on its website a total of about 26 billion records,
corresponding to 4,176 breaches.

So,
did the breach
(or should we say the leak?)
occur to a company that has collected
and is collecting data breaches?
(I had forgotten for a time the risk exposure
these data aggregation services pose.)
Affirmative.
In fact,
Leak-Lookup posted on its X account
on January 23 that
all that issue was the product of a firewall misconfiguration on their systems
that they already fixed.
According to Malwarebytes,
the affected company said
the initial access to its dataset was reached in December last year.

Let’s face it.
It all sounds bizarre.
Leak-Lookup’s post even began with the phrase,
“We certainly weren’t expecting that publicity.”
What does that mean?
I smell a rat here.
But, well, I’d rather not go around with speculations,
at least not anymore.

Anyway,
knowing that there is a lot of sensitive data floating around the Internet
—possibly including yours—
that malicious actors can leverage for attacks
such as targeted phishing,
credential-stuffing,
and identity theft,
we invite you to keep in mind the following,
for some perhaps already trite,
recommendations:

  • If you want,
    you can start by visiting sites like Have I Been Pwned
    or the Cybernews data leak checker
    (is this suspicious? Stop it!)
    to check if any of your login information
    or other personal details
    are public because of breaches.
    However,
    these databases may not yet be up to date with what are supposed to be
    the new breaches within the “MOAB.”

  • Whether or not you have seen your accounts registered
    as affected on sites like these,
    change your passwords as soon as possible.
    This is something you should,
    in fact, do frequently,
    say, every month.

  • If you are still using simple passwords such as “123456” or “password1”
    for any application or service,
    please change them too.
    But hey,
    it is not just changing them from “password1” to “password2”
    or doing any similar monkey business.
    We’ll not get tired of repeating this:
    create passwords or passphrases with more than 12 characters,
    using at least one uppercase letter, one lowercase letter,
    one symbol and one number.

  • Don’t use the same password across different applications.
    If your trouble is you have many passwords to remember,
    it’d be better you use a password manager such as 1Password.

  • Enable two-factor or multi-factor authentication.
    Thanks to this,
    if malicious actors have one of your credentials,
    they should also have access to other passwords
    or even any of your personal devices
    in order to cause damage.
    This strategy is like adding another layer of security
    to your daily IT usage.

Are you a Fluid Attacks customer
and have not yet downloaded our VS Code extension?
We invite you to do so
to take advantage of automatic vulnerability remediation
through generative AI.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Ruiz. Read the original post at: https://fluidattacks.com/blog/the-mother-of-all-breaches/

Felipe Ruiz