“The mother of all breaches”-Malwarebytes Offering Free Identity Scan

Jackson_Slugger

$50 Site Donor 2022
Joined
Sep 30, 2019
Messages
2,348
Location
New York

“The mother of all breaches”: 26 billion records found online​

Posted: January 23, 2024 by Pieter Arntz

Security researchers have discovered billions of exposed records online, calling it the “mother of all breaches”.
However, the dataset doesn’t seem to be from one single data breach, but more a compilation of multiple breaches. These sets are often created by data enrichment companies. Data enrichment is the process of combining first party data from internal sources with disparate data from other internal systems or third party data from external sources. Enriched data is a valuable asset for any organization because it becomes more useful and insightful.
The researchers stated:
“While the team identified over 26 billion records, duplicates are also highly likely. However, the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors.”
In other news about leaked personal data, a cybercriminal going by the name of “emo” claims they have 15 million unique records of project management tool Trello accounts for sale.
Trello is used by many organizations, so it understandably raised some concerns.
Atlassian, the company that runs Trello, however denies there has been a breach. It seems as if someone has used a large collection of email addresses and tested it against Trello.
This brings us to the question: when do you call a giant leak of personal information a breach, and when don’t you?
A definition of a breach that makes sense to me is this one:
“A breach is an incident where data is inadvertently exposed in a vulnerable system, usually due to insufficient access controls or security weaknesses in the software.”
So you might say that exposing of billions of records was a breach because it is unlikely the instance was left open on purpose. After all, that amount of data can be sold for a pretty penny.
And Atlassian can safely say it was not breached, since the criminals used an existing feature. Maybe in larger numbers than intended, but why admit you shouldn’t have allowed it?
Some people will say that a data breach can only be the result of a hack and everything else is a leak. If you look at it that way, neither one of the datasets came from a breach. One set was stumbled upon and the other was created by using a legitimate API.
But to those affected the end result is pretty much the same whether your data was leaked in a breach, accumulated by scraping, or gathered by a data enrichment company. Your information is out there in the open for every cybercriminal to use at their perusal.
If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.
SCAN NOW
You might be surprised. Remember though that it’s not embarrassing to you if your email address was found in a breach, but it is good to know if it was and where a password may have been included.
We found 9 breaches including one exposed password

If the passwords it throws up at you look familiar, it would be a good idea to change the password where you’ve used it, enable 2FA, and check if it’s been re-used for other accounts.
Scammers are very good at using information found in breaches in social engineering attacks. Even the fact that your data may have been leaked in a breach is something scammers will readily use to launch a phishing attack and see what more they can find out from you.
Last year, over 2,000 companies and government entities reported data breaches impacting over 400 million personal accounts. Set up Identity Monitoring to get alerts whenever your data is exposed in a new breach.
 
That's a handy lookup tool. Fortunately I only have two breaches, but that's two to many. It would be nice if they listed which companies had the breach.
 
I got the report in an email this morning. Said an old password I used to use was compromised in 6 instances. But everything has long since been changed...

Some security suites offering credit monitoring and dark web scans, but they only will notify you and not do much keeping track of everything and changing passwords is a good idea. I haven't seen it mentioned but you should log out of any Gmail account, log back in and change the password although the logging out and in is the important part.
 
I download the database on a regular basis. I wrote a shell script that asks for a passwd input, hashes the passwd string, then greps (searches) for the string in the hundreds of millions of stolen passwords in the haveibeenpwned database. I do this to look for any of my passwords and for a bit of entertainment. You can type in almost any string imaginable under ten characters and it's in the database.

Use MFA like such as text challenge, extremely long complex passwords from a utility like Passwordsafe and change the password on a schedule, FIDO2, etc. If you are not using one of these methods, then you are soon to be a victim.
 
Last edited:
Use MFA like, text challenge, extremely long complex passwords from a utility like Passwordsafe and change the password on a schedule, FIDO2, etc. If you are not using one of these methods, then you are soon to be a victim.
As basic as text MFA is, it's better than nothing. I prefer using an authenticator and it enrages me how many financial institutions do not support authenticators.

I use Bitwarden and am currently in the process of changing every single password I have. I used LastPass and switched after their breach but I haven't gotten to changing everything, yes, way too long has passed. Fortunately, I'm not really "valuable" in terms of people to get hacked. Unfortunately, there was a lot more information in my LastPass than just some passwords.
 
As basic as text MFA is, it's better than nothing. I prefer using an authenticator and it enrages me how many financial institutions do not support authenticators.
I want to use my FIDO2 key to log into pretty much every financial account I have, not one institution supports FIDO2. Very irritating.

I use Bitwarden and am currently in the process of changing every single password I have. I used LastPass and switched after their breach but I haven't gotten to changing everything, yes, way too long has passed. Fortunately, I'm not really "valuable" in terms of people to get hacked. Unfortunately, there was a lot more information in my LastPass than just some passwords.
The reason I stick with Passwordsafe, is there is no on-line version. It it incumbent on me to keep the database safe, but I don't have to worry about breaches like LastPass.
 
I have 20 breaches but all the passwords have been 10 years+ since I used any of them.

The malwarebytes report is minimal info ... an ad to sell you identity protection.
Use haveibeenpowned.com
 
This has been my go-to for years and years to monitor if my email address(es) appear in any of these disclosures:

So you put your information into haveibeenpwned and then they have your information?
Are they trustworthy? and ... who is to know if it is secure and some rogue entity isnt accessing their database getting your IP address and email?

I never checked myself but Apple does alert me at times if it detects any of my information on the dark web.
 
Last edited by a moderator:
So you put your information into haveibeenpwned and then they have your information?
Are they trustworthy? and ... who is to know if it is secure and some rogue entity isnt accessing their database getting your IP address and email?

I never checked myself but Apple does alert me at times if it detects any of my information on the dark web.
Email address is all.

It's really too bad there isn't a comically simple way to ascertain the nature of some of these organizations.

Does Apple have ALL of your information such that they can check to see if any of it is on the "dark web"? I wonder how many 3rd parties have access to their databases...
 
Email address is all.

It's really too bad there isn't a comically simple way to ascertain the nature of some of these organizations.

Does Apple have ALL of your information such that they can check to see if any of it is on the "dark web"? I wonder how many 3rd parties have access to their databases...
I dont know. I just know, if you use APPLE password application I get these alerts at times warning me which ones were found on the dark web and suggest to change them, it will then allow me to do so, one by one.

I actually use a private paid service for passwords but at times, just because I have also been allowing Apple to save some of them, Apple is free. Since I have 3 apple devices it sure makes things simple to fill passwords. Everything is encrypted and doubt you will see a scandal involving Apple ruining their world wide reputation allowing access to 3rd parties. But I am sure someplace its in the disclosures no one reads.:unsure:
At the same time I am reluctant to cancel my paid password manager, it just makes life easy.
 
I dont know. I just know, if you use APPLE password application I get these alerts at times warning me which ones were found on the dark web and suggest to change them, it will then allow me to do so, one by one.

I actually use a private paid service for passwords but at times, just because I have also been allowing Apple to save some of them, Apple is free. Since I have 3 apple devices it sure makes things simple to fill passwords. Everything is encrypted and doubt you will see a scandal involving Apple ruining their world wide reputation allowing access to 3rd parties. But I am sure someplace its in the disclosures no one reads.:unsure:
At the same time I am reluctant to cancel my paid password manager, it just makes life easy.
For passwords I've used BitWarden for years for the same reason: With desktop applications and browser plugins it is too simple and easy to pass up. But I am really considering going with an offline alternative whose main database file I could (encrypt and) store/sync through a cloud service or even a self-hosted sync service.

I do not believe that any of the malicious parties who gain access to user data would ever expend the near-infinite amount of time and other resources necessary to even begin thinking about decrypting anything: They are after low-hanging fruit for direct use and raw numbers ("100 bazillion-jillion records in this archive!!!") for selling. If there is a service of any sort that encrypts your data using a **key of yours, be that a keyfile or pass phrase or anything else** then you could probably consider your data to be reasonably safe; knowing, though, that encryption algorithms themselves come and go as the march of time and technology sometimes expose weaknesses in them.

As far as passwords and their occasional compromise by the service they access go, you can cover yourself 99.9% by using a simple 2FA/MFA if the service provider offers it (this site included). It would take unusual and unreasonable effort by someone with international-grade resources (OR someone who has your phone or 2FA/MFA application on a desktop) to somehow compromise that process.
 
Back
Top