MOAB: The Implications of 26 Billion Records Breached

The security researcher Bob Diachenko and investigators from Cybernews have discovered an open instance with more than 26 billion data records. These were mostly compiled from previous breaches, but likely also include new data.

In total, 3,876 domain names were included in the exposed data set.


What data types have been breached, and what are the associated risks?

Unfortunately, the exposed data consists of more than just credentials. According to Cybernews, “most” of the exposed data is sensitive.

Though we don’t know the exact data types, sensitive data is, by definition, more valuable to criminals than mere email addresses and passwords.

Worryingly, it’s possible that the data set includes medical records. This information type is not only highly sensitive but also, in many cases, inalterable. This means that they tend to remain valid years and even decades down the line, and can be used in targeted social engineering attacks and/or for blackmail.

Other types of sensitive data, such as personal or financial information, can also easily lead to identity theft, financial fraud, and reputational damage.


Is the MOAB as bad as it seems?

Although any data breach of 11 figures ought to be alarming to anyone, the number of unique records is likely to be significantly less than 26 billion. The researchers who discovered this data set also reported that duplicates were “highly likely.”

Nevertheless, if even 1% of these records were unique – which is almost certainly an underestimate – you’d still be looking at 260 million unique data records.

Even if these were largely credentials, rather than sensitive data, this is worrying. While people can and should change their passwords after a breach, many don’t. Our senior penetration tester Leon Teale explained:

Data leaks from years ago are still being used today to compromise accounts, telling us that many people don’t change their password after a breach, or even at some regular frequency.

In my work as a penetration tester, I scour for leaks like this. I search for clients’ corporate email addresses to find associated credentials and often discover them to be valid on their corporate systems. This process can be surprisingly fast: In a database of more than 3 billion records, a specific email can return instant results.

He added:

I can find those associated credentials even though the leaks aren’t from that specific organization. But the credentials work anyway because people have terrible password habits, either using the same password for different accounts, or using obvious password variations like ‘Summer2022,’ ‘Summer2023,’ etc.

It’s also worth noting that Cybernews reported that “Researchers believe that the owner of the MOAB has a vested interest in storing large amounts of data and, therefore, could be a malicious actor, data broker, or some service that works with large amounts of data.”

If the owner is a criminal gang, they may well have been using this database in a similar way to our ethical hackers – albeit for illegal purposes. This is a key feature of penetration testing, where an ethical hacker systematically probes your networks and systems for vulnerabilities, using the same methods as criminal hackers but without causing damage to your infrastructure.


Which organizations were most affected by the MOAB?

Though the two most affected organizations associated with these data records are based in China, there are a lot of U.S.-based organizations with at least eight figures of records breached, as shown in the table below.

Out of the top 13 most breached organizations (within this data set), 6 are headquartered in the USA. Combined, those 6 organizations had more than 1.3 billion records breached.


Should we have seen this breach coming?

When we asked Leon Teale what he thought of the breach, he said:

Unfortunately, this new mega breach didn’t really surprise me. I’d almost say that I was expecting it.

Once in a while, we seem to hear of yet another massive data leak, each even bigger than the last. This also makes sense – as user bases only get larger, it stands to reason that data leaks will too.

These types of leak used to be coined ‘COMB,’ which stands for ‘compilation of many breaches.’ This one has been dubbed ‘MOAB’ – the ‘mother of all breaches’ – but isn’t fundamentally different to these COMBs.

For instance, last year, we saw a massive 3.8 billion records breached at DarkBeam. In 2021, we saw a leak of 3.27 billion records. But I must admit: 26 billion is taking things to another level.


How do these figures compare against IT Governance’s research?

In 2023, across the full year, we ‘only’ found 8.2 billion records breached. So, even though we’re still in January, we’re clearly already looking at a record-breaking year, never mind month.

Looking more closely at the names affected by the MOAB, we do see certain patterns emerge.

For instance, in the past three months, we’ve logged four data breaches for Microsoft. This isn’t a coincidence.

Certain organizations are more likely to be breached than others, particularly typical third-party organizations – i.e. IT service providers and software companies, such as Microsoft, but also LinkedIn and other platforms, which are included in this MOAB.

It’s probable that this is to enable supply chain attacks, which we’ve been seeing more of in recent months. The most obvious example is the MOVEit Transfer breach, but we have also seen sector-specific breaches, such as the Ongoing Operations ransomware attack that affected 60 credit unions in the USA.

However, such service providers also make for attractive indirect targets, in part because of people’s poor password habits. For instance, if a threat actor got access to the credentials of many LinkedIn accounts, this could easily also give them access to numerous work-related accounts and, by extension, big corporate databases.


What should organizations do to protect themselves?

Organizations should always have the mindset that a breach is inevitable, and take data security and risk mitigation seriously. Simple actions they can take include the following:

  • Encrypting databases containing personal and other confidential data. If they’re leaked, even if only by accident, the plaintext passwords aren’t easily accessible without significant resource to try to crack the encryption.
  • Enabling MFA (multifactor authentication) where possible. This is paramount in the workplace, but also a very simple yet effective thing you can do for your personal accounts. Although MFA won’t prevent threat actors from getting your passwords, it’ll help stop them from accessing the associated accounts.
  • Improving staff awareness through staff awareness training. This can cover things such as not reusing passwords, tips for choosing strong yet memorable passwords, and use of password managers.

If you’re keen to take things a step further, you could also implement the international standard for information security: ISO 27001. This flexible, pragmatic standard takes a risk-based approach to managing information security that would benefit any organization.


CyberComply

We want to make ISO 27001 compliance easy for our customers, so you can stay focused on your core business while keeping your data secure.

CyberComply, our Cloud-based solution, makes compliance simple and affordable – not just with ISO 27001, but also with a range of other security and privacy requirements, including SOC 2, the new SEC cybersecurity rules, various federal breach notification laws, and many more.

This end-to-end solution:

  • Gives you immediate visibility of critical data and key performance indicators
  • Helps you identify and treat data security risks before they become critical concerns
  • Reduces errors in, and improves the completeness of, your risk management processes
  • Accelerates certification and supercharges project effectiveness
  • Helps you stay ahead of regulatory changes