315 - Billion Game

TDLR about the 16 billion passwords and related data that were just leaked for Google, Apple, Facebook, and virtually every other service or platform on the internet:

Change your banking, primary email, and any other critical passwords, such as accounts for services that store passwords for your browser. Set up 2-factor Authentication (2FA) as an added layer of security. Stop procrastinating.

For more detail:

  • Services that tell you if your data has been leaked don't know yet, and they may not find out to tell you. For example, "Have I been pwned?" has just under 15 billion records of leaks to draw from in total. You may receive no warning until damage has been done.

  • This isn't a single leak, but a vast collection of all passwords and personal data collected by all methods that bad actors have at their disposal. It has been called a "blueprint for (internet-scale) exploitation", allowing well-funded bad actors to carry out deep, broad, and highly sophisticated attacks that utilize all of a person's digital footprint, not just specific platforms they may use.

  • Normal leaks are sold on the dark web, but any of these records not previously sold may never be. The bad actors behind this more likely intend to use the data directly, meaning that their attacks may hit without warning.

  • The records likely do include duplicates, due in part to more than one method being used to collect them, but this remains the largest collection of leaked records known.

Researchers were only able to spot this massive collection of leaked credentials briefly before the bad actors tightened their security, and they don't know who is behind it, let alone the full contents of it. This absurdly large collection of compromised credentials is likely behind many of the active large-scale attacks against Microsoft, Google, and others that have occurred recently and are still occurring.

It may be that this newly discovered dark web repository of so many leaked credentials is a carbon copy of the aforementioned nearly 15 billion records known to services like "Have I been pwned?" plus an additional 1 billion comprised of some mixture of newly leaked or otherwise previously unknown leaks, as well as duplicates from little or no effort being applied to clean them.

Even if that is the case, putting all of them together in one central database to facilitate more sophisticated and comprehensive attacks sounds an awful lot like what the US government is currently paying Palantir to do, or something that Russia or China could be just as likely to do themselves. That $200m contract with the US government that OpenAI recently signed also comes to mind, as you can safely bet that Palantir will get access to the records of anyone using the junk that OpenAI produces, and the user input that led to it.

For more, I recommend getting the details from Cybernews coverage of the data breach.