16 billion passwords exposed in 'mother of all' data breaches

Article content

Cybersecurity researchers have unearthed what they are describing as the “mother of all breaches,” including more than 16 billion individual records.

A collection of 30 databases was reportedly discovered, including passwords, for government accounts, Apple, Google, Facebook, Telegram and more websites.

Some databases had vague names such as ‘logins’ or credentials,’ making it difficult for the team to establish exactly what they contained.

However, others offered clues about where the data came from.

According to the researchers, the records were most likely compiled by cybercriminals using various infostealing malware. They noted, however, that some data may also have been collected by so-called ‘white hat’ hackers.

Cybernews, which found the records, said the information was only briefly available to the wider internet before being locked down, but it is not possible to determine who owned the databases.

More than 5.5 billion people worldwide use the internet. As such, researchers warned that a staggering number of people likely had at least some of their accounts compromised.

Users across the globe are being urged to change their passwords immediately to protect their data from falling into the hands of cybercriminals.

“The inclusion of both old and recent infostealer logs makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,” the researchers said, per the U.K. Daily Mail.

Cybernews said its researchers identified a database of 184 million records that was previously uncovered in May, found by data breach hunter and security researcher Jeremiah Fowler.

“It barely scratches the top 20 of what the team discovered,’ Cybernews said. “Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.”

The database of 184 million records contained secure login data for millions of private citizens but also had stolen account information connected to multiple governments around the world.

While looking at a sample of 10,000 of these stolen accounts, Fowler found 220 email addresses with .gov domains, linking them to more than 29 countries, including the U.S., U.K., Australia, Canada, China, India, Israel, and Saudi Arabia.

“This is probably one of the weirdest ones I’ve found in many years,” Fowler told WIRED.

“As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list,” the cybersecurity expert continued.

RECOMMENDED VIDEO

We apologize, but this video has failed to load.

Try refreshing your browser, or
tap here to see other videos from our team.

Play Video