The 16-Billion-Record Data Breach That No One's Ever Heard of (cybernews.com) 34
An anonymous reader quotes a report from Cybernews: Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials. The data most likely originates from various infostealers. Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.
Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.
Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.
"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.
Look up (Score:3)
Is there an online tool to search for my username/log in?
I'd like to know if I'm in the dataset.
Re:Look up (Score:5, Informative)
https://haveibeenpwned.com/ [haveibeenpwned.com]
Re: Look up (Score:2)
As of today, this dataset is not yet included in their list:
https://haveibeenpwned.com/Pwn... [haveibeenpwned.com]
Re: (Score:2, Informative)
Is there an online tool to search for my username/log in?
I'd like to know if I'm in the dataset.
Sure. Tell me your username and password and I'll check for you.
Solution (Score:1)
ie make it $100 per "victim" to be paid out, and the directors also help personally liable for $$ OR with 10 years prison.
Suddenly much less data will be collected, currently its no risk, no care taken.
Re: (Score:3)
I was waiting for somebody to say something like this.
The problem with this approach is that there is NO perfect solution. You can do *everything* right and still get hacked. Penalizing people for being robbed, won't stop people from being robbed.
Instead, how about lock up the criminals who break in to systems. That won't stop it either, but it's at least punishing the criminal, instead of the victim.
Re: (Score:2)
Why the hell do I need to "register" and use their "App" for home appliances that do NOT need internet access eh hot air friers, dryers, washing machines.
ALL I want to do when I buy something is to chose it, pay for it, and have it shipped, they do NOT need to know my email address, date of birth, etc etc etc, they do NOT need to "Store" my credit card number for
Re:Solution (Score:4, Insightful)
If you don't want businesses to have all that information about you, why do you give it to them? I certainly don't.
Did you know that you don't have to register that new appliance? The warranty is still in effect even if you don't. Just keep the purchase receipt. There are still plenty of appliances of all types, that don't require an app or registration. If you *really* want to stay anonymous, shop at resale shops, pay cash. You can find all those things at second-hand or thrift stores.
If you *do* choose to provide your personal information, that doesn't change the fact that a data breach is *theft*. Banks store valuable things too, and when somebody robs a bank, nobody sues the bank, unless they were negligent. People trust banks with their valuable money and things because they trust them to make a good effort to keep their things safe. Nobody thinks that banks are 100% secure.
Data theft works the same way. There is no such thing as 100% secure. Digital security is still a work in progress, it's not secure enough yet. But that's not the fault of one specific company that has a data breach, it's a systemwide problem. Bit by bit, the system will improve. It's an arms race.
Re: (Score:2)
As I say, we need to push hard for data minimisation, not maximisation and the ONLY way that will happen is when it presents financial risk.
And yes, I do all of those things, but MOST people don't and with data sharing etc they can effectively track you anyway.
And many appliances with IOT capabilities do NOT give you full functionality unless they can phone home and share data.
Re: (Score:2)
Most people don't do those things because they really don't value privacy. Need proof? Facebook is now charging $10 per month for privacy in some countries. https://www.wired.com/story/me... [wired.com] There aren't any hard numbers yet, but I doubt many will pay.
As soon as you put a price on privacy, people will generally opt for the free, nonprivate version.
While this is an interesting conversation, it doesn't change the original premise that one should not punish victims (companies that are breached by hackers).
Re: (Score:2)
Think of it being like, unless you make "reasonable" effort to protect your property, insurance will not cover you for loss.
Fail to lock your house, theft is not covered, so there is an example of victims already get punished.
Re: (Score:2)
You are incorrect about theft insurance. Standard homeowners policies do indeed cover losses due to theft, even if your home is left unlocked. https://www.trustedchoice.com/... [trustedchoice.com].
If you leave your doors open, and somebody steals your stuff, you are still a crime victim. The penalty for your carelessness is the loss of your stuff and the inconvenience of replacing it. But the law does not and should not additionally punish *you* for your loss.
Re: (Score:2)
You are only insured if "fair and reasonable" efforts have been made to prevent loss. This even extends to if a member of you household steals something you are not covered.
Re: (Score:2)
So, while I feel pity for New Zealand residents who are victims of thieves, even in New Zealand you don't punish the homeowner who carelessly left his house unlocked. They just suffer the loss, and that's the end of it.
Re: (Score:2)
And the home owner IS punished because they have to cope with the loss of goods due to their carelessness
I note in Florida 10-15% of home owners do not have insurance because it is too costly
And in YOUR system, every other policy holder is also punished with higher premiums to cover those who do not make an effort to prevent loss.
Re: (Score:2)
And the home owner IS punished because they have to cope with the loss of goods due to their carelessness
Yes, this is exactly what I said. The punishment comes through natural consequences of their carelessness. Your contention from the beginning, was that the law should *further* punish businesses who lose valuable data, by fining or jailing employees for their carelessness. You wouldn't do that to a homeowner, and you wouldn't do that to a business, unless the carelessness rises to the level of negligence.
Higher premiums, I agree with Lawsuits against companies over the loss of their data, I agree with. But
Re: (Score:2)
The ONLY people who benefit from law suits is the lawyers, and the companies have insurance against that.
So what exactly is the punishment for people/companies who needlessly collected personal information, those decisions are made by people, leadership, and yet they are never punished.
Do you mean the company goes bankrupt ? So the shareholders get punished, the employees get punished and those at the top who have ben paid way too much...meh, n
Re: (Score:2)
Yes, the victims are the people whose information was stolen. We agree on that.
What we don't agree on, is who the criminals are. I say the criminals are the thieves, you say the criminals are the companies who were stolen from.
Thankfully, our laws punish people who break laws. It's not a crime to collect data, however "needless" that might seem to you. If you wan it to be punishable by law, then the law needs to change. As it stands, collecting data isn't a crime in either your country or mine.
Funny that yo
Re: (Score:2)
They are also the ones who sell that data on others and make profit from it.
Enforcing good behaviour from companies is the right thing to do, because it forces them to take stock of potential risk.
Go look at all those "class action suits", the majority of the money goes to the lawyers, not the victims.
YOUR information is worth maybe $10 when a corporate gets sued, where as their music track is worth tens of thousa
Re: (Score:2)
Your argument starts with the assumption that data is not a legitimate thing to buy and sell. All of your other arguments stem from that premise. Not everyone, and certainly not the laws of nations, agrees with that premise.
If data is a legitimate thing to buy and sell, then the definition of "necessary to collect" becomes a moot point. Some businesses, such as credit rating agencies, literally specialize in the buying and selling of data. They provide a valuable service both to businesses and to individual
Re: (Score:2)
Note that the GP said "unnecessary" data. As per GDPR, there is a legal requirement to minimize data collection to only what is necessary, and the more you collect the greater the liability when it gets stolen.
I do think there needs to be a multiplier, which can be as low as zero, based on what security precautions were taken to protect the data. For example, if you just installed AV software and a firewall and called it a day, or outsourced your security to someone else who turned out to be incompetent, th
Re: (Score:2)
If a company violates GDPR, that is grounds for fines or other legal ramifications. That is altogether different from punishing companies for being breached.
Liability is a thing, if your company holds data and loses it, the company is certainly liable for losses. This is similar to a driver being liable for damages in a car accident he caused, even if the accident was completely unavoidable. You don't punish the driver beyond the liability to cover the other drivers' repairs. In a data breach, people who we
Even some government services (Score:4)
Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
Luckily, here in the U.S. DOGE has consolidated copies of all our government data from the various independent agencies into one place - oh, wait ...
Aliens? (Score:2)
There are about 8 billion people on earth. Those other 8 billion records belong to...aliens?
no Aliens needed (Score:2)
There are about 8 billion people on earth. Those other 8 billion records belong to...aliens?
If you're using the same login/password everywhere, you're part of the problem.
If people have 8 different ones, then only 2 billion people are needed.
Re: (Score:3, Insightful)
Wait, I wasn't supposed to use 123456? Now I'm going to have to change the password on my luggage!
Re: (Score:2)
Re: (Score:2)
I doubt it's actually 16 billion distinct accounts. The information is likely *full* of redundancy.
Re: (Score:1, Insightful)
That must explain some of my posts! (Score:4, Insightful)
I have a lot of posts that never were moderated highly which must have been posted by somebody using my account!
Because it's not a new breach (Score:2)
Only 16 Billion? (Score:2)
Back when SpyCloud let you see what they found about you, they informed me that one of my email addresses appeared over three thousand times in their collections of leaked info. Often it would appear multiple times in the same leak. About a third of the time, the identity associated with the email address was wrong, and every. single. time. the password was wrong.
Who could've guessed criminals would think to make money off selling lies to other criminals?!
When I hear there's twice as many user/password p