26 Billion User Records Compromised
A leak of around 26 billion user records has been labeled "the mother of all breaches." It's a major reminder of the downsides of reusing the same passwords on multiple sites.
The collection of records is not a single stolen database. Instead, it appears to be a massive compilation of databases that have either been leaked before or sold on the black market.
The database was spotted online by security researchers, likely a sign that whoever compiled it screwed up somewhere by mistakenly making it accessible. The researchers noted the database was extremely well indexed and organized.
The database takes up 12 terabytes of data. That would be a lot of data for videos and other large files, but it's a spectacularly large size for a database consisting of mostly text. Cybernews notes the 26 billion records compares to a similar "biggest leak ever" of 3.2 billion records just three years ago. (Source: cybernews.com)
Major Sites Affected
The researchers noted the database covers a wide range of sites. It includes at least 100 million user records from each of 20 different websites, including X (formerly Twitter), LinkedIn, Adobe, MyFitnessPal and Canva. However, a huge number of smaller sites are also affected. (Source: computerweekly.com)
What's not clear is how many of the user records are still valid and how many have login details that have since changed.
Spam Avalanche Likely
However, anyone with access to the database (and sufficient computing resources) could certainly launch a credential stuffing attack.
This simply involves taking a list of username and passwords from one website and trying to login with them on another website, particularly one that may give access to more sensitive data such as an email or social media account. In theory, major websites should have technical measures to detect and stop multiple login attempts from a single source, but that's not always the case.
The other big risk is that the database includes a large number of email addresses that are likely largely genuine and active. Combining this with accompanying details such as people's names and the types of site they use could mean a torrent of targeted spam or more effective phishing attempts. That's where scammers try to trick people into providing login details and other personal data, for example by directing them to a bogus lookalike website.
What's Your Opinion?
Are you surprised by the size of this database? Do you reuse passwords on more than one site? Were the security researchers right to reveal the database's existence?
My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 20 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).
We are BBB Accredited
We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.
Comments
BEWARE OF GOOGLE CHROME AUTO LOG-IN
THIS IS THE REASON CHROME SHOULDN'T TRY LOGGING YOU IN WITH YOUR GMAIL ACOUNT EVERY SINGLE TIME AT EVERY SITE LOG-IN! THEY DON'T EVEN HAVE A WAY TO TURN OFF THAT DIALOG BOX FROM POPPING UP. THIS PROBABLY HAPPENED BECAUSE OF THEM!
MY Chrome browser doesn't do
MY Chrome browser doesn't do that. There are settings for managing passwords: https://support.google.com/chromebook/answer/95606?visit_id=638421796294764950-1205599272&p=settings_password&rd=1 or chrome://password-manager/settings