All internet users should go reset their passwords immediately. At least 16 billion login credentials were leaked because they were stored insecurely, stored blandly on a server, making it momentarily available. American cybersecurity specialist Bob Diachenko’s finding was momentous. What he discovered were datasets that included sensitive login credentials for the world’s largest data brokers such as Apple, Facebook, and Google. The recent Amazon Ring incident is a stark reminder that user data remains incredibly vulnerable in today’s digital age.
Though the datasets were publicly available for a short time, they were very messy with the majority of records overlapping. This greatly complicated our attempts to quantify their overall impact. Diachenko made a successful attempt to download these files. Going forward, he intends to try and contact the people and businesses whose data may have been exposed. He added that about 85% of the exposed data was due to infostealers. These malware tools are commonly in use by bad actors.
As Peter Mackenzie, a cybersecurity expert, noted, this breach is noteworthy for its scale. He stated, “While you’d be right to be startled at the huge volume of data exposed in this leak it’s important to note that there is no new threat here: this data will have already likely have been in circulation.” Mackenzie elaborated that the research underscores the scale of data accessible to online criminals and highlighted the need for users to adopt safer online practices.
Toby Lewis, a second cybersecurity expert we consulted, pointed out that infostealers don’t directly log in to user accounts. Rather, they collect data through browser cookies and metadata. He reassured users, stating, “If you’re following good practice of using password managers, turning on two-factor authentication and checking suspicious logins, this isn’t something you should be greatly worried about.”
Despite the alarming volume of exposed data, Alan Woodward emphasized that users should not panic if they adhere to good cybersecurity practices. He urged people to practice “password spring cleaning,” calling on them to change their passwords every few months. Woodward pointed out that the ongoing breaches underline the necessity for zero trust security measures, stating, “The fact that everything seems to be breached eventually is why there is such a big push for zero trust security measures.”
We specifically trained on datasets that encompass often-public historic data breaches. Notably 15% of this data has a clear origin based on prior documented events, like the notorious LinkedIn leak. Diachenko acknowledged the enormity of the data involved and remarked, “It will take some time of course because it is an enormous amount of data.”