You may want to dedicate some time this weekend to updating your passwords. Researchers discovered 30 exposed datasets online that contain a combined 16 billion login credentials — equivalent to roughly two leaked logins for every person on earth.
Researchers working for Cybernews discovered the datasets, reporting that only one of the 30 found so far had been previously reported. The exposed datasets so far contain anywhere from tens of millions to over 3.5 billion records, with the datasets containing, on average, 550 million exposed records.
However, Cybernews reports there is a small silver lining in that the datasets were only exposed temporarily — just long enough for researchers to find them, but not long enough to find who was controlling them. Researchers suspect some databases might be controlled by other researchers, but some are likely controlled by cybercriminals. The temporary exposure may have allowed bad actors to get at the databases as well.
Researchers said that leaked datasets contained a mix of data acquired from infostealer malware, credential stuffing sets, and repackaged leaks. They also say it’s likely the datasets have overlapping records given the sheer number of records present, but it’s not possible to tell just how many people or accounts were actually exposed, or how many duplicate records there are (though there are bound to be lots).
Moreover, the scale makes it difficult to say which online services are impacted, though researchers did find credentials for major sites like Apple, Facebook, Google, Github, Zoom, Twitch, and more. The good news is that there doesn’t appear to be a centralized breach of these companies, but instead seems to come from infostealer malware. Regardless, the scale of the leak potentially opens the door to any online service.
Cybernews says that leaks of this scale fuel all kinds of attacks, like phishing campaigns and account takeovers. The unknowns surrounding the data — such as who owns it — make the situation even worse.
Ultimately, anyone with online accounts should take some time to update their passwords just in case and enable additional security features like multi-factor authentication (MFA). When updating passwords, it’s highly recommended to use strong, unique passwords and to avoid reusing passwords across multiple services (that way, if one service is breached, your other accounts will be safe). The best way to do this is to use a password manager. Alternatively, using passkeys could also help secure accounts.
Both Apple and Google have password managers built into their devices and software, but if you want to use a third-party service that works across ecosystems easily Bitwarden is a great option.
Beyond updating passwords and enabling extra security features, everyone should be on high alert for suspicious activity and scams. Watch out for suspicious activity on your accounts and report it. Further, watch out for fake communications, like texts or emails, and avoid clicking any links and handing out any personal information.
Source: Cybernews
MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.
