A new 12TB database of 26 billion records has been found exposed online by security researchers, although its contents were pieced together from previous breaches.
The haul was discovered by Cybernews and noted security researcher Bob Diachenko on a publicly available instance with no authentication required for access.
Among the records leaked in the trove are 1.5 billion belonging to Tencent customers and 500 million from Chinese Twitter-like site Weibo, alongside MySpace (360 million), Twitter (281 million), LinkedIn (251 million), Adobe (153 million) and many more.
However, it’s unlikely that any previously undiscovered breaches have been made public in the leak.
“Every single data breach ever reported or sold was carefully collected by an unknown actor and left in a misconfigured instance,” clarified Diachenko.
Every single data breach ever reported or sold was carefully collected by an unknown actor and left in a misconfigured instance. I'd say it is even bigger than @troyhunt's HIBP. https://t.co/ZyMqT0nLO8
— Bob Diachenko 🇺🇦 (@MayhemDayOne) January 22, 2024
There are also likely to be a sizeable number of duplicates in there.
"I think most people in this world now correctly think that at least some portion of their personal information is available on the internet," argued Roger Grimes, data-driven defense evangelist at KnowBe4.
"A lot of the time it is due to being tricked by social engineers or phishing emails. Other times, it's due to compromised websites and databases. Either way, most of us have some portion of our private information out on the internet available to anyone. It's a sad fact of life."
While it’s unclear how many of the records are password/email combinations, the find could prompt a renewed wave of credential stuffing attacks.
ESET global cybersecurity advisor, Jake Moore, urged users to remember best practice cyber-hygiene to keep accounts secure.
“We should never underestimate what cybercriminals can achieve with such limited information. Victims need to be aware of the consequences of stolen passwords and make the necessary security updates in response,” he said.
“This includes changing their passwords, being alert to phishing emails following the breach, and ensuring all accounts, whether affected or not, are equipped with two-factor authentication.”
Read more on mega-breaches: Password Reuse at 60% as 1.5 Billion Combos Discovered Online
A more impactful discovery was arguably made last week, when breach notification site HaveIBeenPwned (HIBP) published a massive collection of username/password pairs, known as the “Naz.API” list.
This data was obtained from info-stealing malware and credential stuffing lists from previous breaches.
Troy Hunt, creator of HIBP, identified 71 million unique email addresses in the haul and warned that a third of them are not listed in HIBP, meaning it’s a “significant volume of new data” which could be used subsequently to access users’ accounts.