According to Vilius Petkauskas at Cybernews, whose researchers have been investigating the leakage since the start of the year, “30 exposed datasets containing from tens of millions to over 3.5 billion records each,” have been discovered. In total, Petkauskas has confirmed, the number of compromised records has now hit 16 billion. Let that sink in for a bit. These collections of login credentials, these databases stuffed full of compromised passwords, comprise what is thought to be the largest such leak in history.
The 16 billion strong leak, housed in a number ion supermassive datasets, includes billions of login credentials from social media, VPNs, developer portals and user accounts for all the major vendors. Remarkably, I am told that none of these datasets have been reported as leaked previously, this is all new data. Well, almost none: the 184 million password database I mentioned at the start of the article is the only exception.
I’m not able to find a list of the compromised services. Most of the articles about it just say that it was vaguely “a lot.” Not even sure if any accounts I care about could be affected.
“Information in the leaked datasets opens the doors to pretty much any online service imaginable, from Apple, Facebook, and Google, to GitHub, Telegram, and various government services. It’s hard to miss something when 16 billion records are on the table.”
Unless you just don’t use the internet, it would look like pretty much any service is at risk. Getting more details is good, I agree, but this might be a 10/10 bad.
I just wonder if this data will become registered on services like haveibeenpwned. They said that not all of this data was posted for long…
From what I can tell, this isn’t necessarily due to password managers being leaked, but data from services that need to authenticate passwords being somewhat insecure at times; either from the hash databases being leaked, or passwords themselves being transmitted insecurely. Even if you use a stateless manager, you still need to send data to the service.
EDIT: post I was replying to seems to have been deleted?
The data most likely originates from various infostealers.
Researchers claim that most of the data in the leaked datasets is a mix of details from stealer malware, credential stuffing sets, and repackaged leaks.
Most of other reports about the breach claimed that its source might be from local malware or infostealer, not the first party google, amazon, facebook themselves being breached. Thats a classic forbes sensational clickbait title. Fucking forbes.
Yeah, I can’t find any legitimate articles that say this is anything other than a newly discovered dataset of previous infostealer data, the Cybernews article that claims there is new data in the data set doesn’t have a way to validate that as they didn’t have access to the data set long enough to confirm anything, per their own article, the Bleepingcomputer article basically says it’s just old data.
I wouldn’t say it’s a total nothingburger, it’s always good to have reminders to maintain good password hygiene, but I don’t think anyone needs to run out and change all their account passwords, especially if you are using real 2FA (not just sms) or passkeys.
The implication of this data breach is a widespread undetected malware or phishing method and as such I would think that OTP’s could be compromised as well.
I think this might be more complicated, depending on usage. I’m an old dinosaur still using a “desktop”, and to me SMS looks like a good idea because it’s actually a separate device, ie. “something I have”. An impostor would have to take both my desktop and my phone to succeed.
The problem with SMS is SIM swapping, if someone can successfully take over your phone number or have your messages redirected then that “something you have” in your security model is useless, I’ll agree that SMS authentication is better than nothing and a lot of phone providers have started to add Number Locking, but SMS is not a secure method for sending codes and should be avoided if possible.
I’m not following on your desktop in your example, are you saying you only have local accounts and don’t use anything that has online portals? and or aren’t connected to the internet? the infostealers mentioned in the articles can easily compromise a local desktop or other device, attackers wouldn’t need physical access to it.
Hmm, if an attacker can get the kind of personal information which the carrier will ask before they port the number … I’m in deep do-do, and my online accounts are the least of my worries. Anytime I tried to change anything about the phone account, it was a total nightmare, and now thanks to you I know why . But yes, I guess there is the possibility of a dishonest or phished employee. I’ll keep thinking about this.
. But yes, I guess there is the possibility of a dishonest or phished employee. I’ll keep thinking about this.