What We’ve Learned to Date About the Alleged 'Ultimate Data Breach'

Data breaches are so common these days that, when a new one gets announced, most web users can do little more than yawn and mutter something like “Yeah, no shit” before scrolling up to the next story in their newsfeed. This week, however, a breach was announced that was allegedly so earth-shatteringly huge that it managed to break through the internet’s wall of collective cynicism.

Dubbed the “Mother of All Data Breaches,” the breach is said to involve some 16 billion user credentials, and impact a vast number of accounts on platforms like Facebook, Google, and Apple. The breach was initially reported by Cyber News, a site that focuses on web security, and was written by the site’s deputy editor and researcher, Vilius Petkauskas. The story, published Wednesday, claims that the breach represents “one of the largest data breaches in history.”

Petkauskas’s article describes the discovered breach as “a plethora of supermassive datasets, housing billions upon billions of login credentials” that have been sourced from “social media and corporate platforms to VPNs and developer portals.” This data is sourced from “30 exposed datasets” that researchers say contains “tens of millions to over 3.5 billion records each.” Researchers say they were able to discover the exposed datasets due to insecure online protections, though they say the exposure was too short-lived for them to figure out who was “controlling” the data.

“This is not just a leak – it’s a blueprint for mass exploitation,” said researchers interviewed by the site. “With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.”

Cyber News’s story was picked up by a number of mainstream outlets, including Forbes and Axios. However, no sooner had the news begun to circulate the internet than security professionals began to call the article’s claims into question. According to critics, Cyber News isn’t wrong per se about the number of credentials that have been exposed—and that’s horrifying enough news on its own. However, some watchers maintain that this isn’t a new breach (nor is it really a breach in the traditional sense), it’s just data from a bunch of old breaches that have been stapled together and posted online.

“To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials,” writes Bleeping Computer.

Meanwhile, vx-underground, an informational website that posts about malware samples found around the web, tweeted about the story, characterizing it as a “fear mongering 16,000,000,000 password repackage password leak thingy which scared the normies and spread misinformation.”

Unfortunately, large breaches happen all the time and, due to the way that the cybercriminal underworld is structured around the sharing of stolen data, data from many of these breaches is traded and re-traded across websites. Sometimes, collectors of that information will compile very large dossiers of those breaches and post it as something new—which is what researchers are claiming happened here.

That said, Cyber News’s story seems to contradict the claims being made by security researchers somewhat. It says that the data that has been uncovered is “recent” and “not merely recycled from old breaches.” The Cyber News story also now includes a disclaimer that says: “This story, based on unique Cybernews findings and originally published on the website on June 18, is constantly being updated with clarifications and additional information in response to public discourse.” Gizmodo reached out to Cyber News for comment.

The breach is still interesting for how it highlights the danger of one particular tool in the dark web cretin’s toolkit, which is a malware appropriately known as the “infostealer.” The infostealer—just as it sounds—is software that, once having infected a device, will suck out login credentials that have been saved in the computer’s browser. A very effective tool, cybercriminals can use the automated tools to swiftly compile large lists of personal information that can be used for compromise operations down the road.

Regardless of whether this involves freshly leaked credentials or not, it might be a good time to freshen up your logins. Hackers’ jobs are getting easier by the day.