A newly revealed trove of 772,904,991 unique email addresses and more than 21 million unique passwords that have been aggregated from over 2,000 leaked databases was recently discovered by Troy Hunt, the security researcher who maintains HaveIBeenPwned. The records were stored on one of the most popular cloud storage sites, MEGA, until it got taken down, and then on a public hacking site. The credentials were not even for sale; they were just available for anyone to take. In total, 1,160,253,228 unique combinations of email addresses and passwords were exposed.
Experts Comments below:
Ruchika Mishra, Director of Products and Solutions at Balbix:
“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down. This information could be used for credential stuffing attacks which can harm businesses and individual users alike. Most enterprises today do not have the foresight and visibility into the hundreds of attack vectors that could be exploited, such as employees using credentials across personal and business accounts. Weak passwords, default passwords, password reuse, passwords stored incorrectly on disk, or transmitted in the clear on the network are all various flavors of the “Password Misuse Risk” attack vector and according to the Verizon Data Breach Report from 2017, more than 80% of breaches involve password issues at some stage of the breach.
To best combat the chances of further breaches, organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”
Jacob Serpa, Product Marketing Manager at Bitglass:
“When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected. This recently uncovered cache of unique email addresses and passwords was aggregated from more than 2,000 hacked databases. This means that the organizations that were originally responsible for this information failed in their responsibility to secure it.
Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are. Fortunately, security technologies like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure that enterprise data is truly safe.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.