Data breaches have now become so common that such reports do not grab our attention anymore. However, breaches or data leaks become significant either when they relate to a popular service, or they are massive. And, what if the two characteristics combine together? One may call it “Collection #1”. Well, we now have heard of a MEGA data breach. It is not just “mega” in impact, but also links back to the cloud service MEGA.
MEGA Data Breach Exposed 773 Million Emails And 21 Million Passwords
In a recent blog post, Troy Hunt has disclosed about a massive data collection that he has uploaded to his website HaveIBeenPwned. As revealed, the breached records hint towards a potential MEGA data breach. MEGA has now removed this data from their site.
Talking about it in detail, this one is not a data breach precisely hitting MEGA. Rather it was a huge database of millions of email addresses and passwords uploaded on MEGA’s site. According to Troy Hunt,
“The collection totalled over 12,000 separate files and more than 87GB of data.”
This huge database includes records from “alleged” more than 2000 hacked databases. The breached records include roughly 773 million (772,904,991) unique email addresses and 21 million (21,222,975) unique passwords. In all, the records include 1,160,253,228 unique combinations of breached email addresses and passwords. Hunt has reproduced this data separately which he found on a hacking form as well.
“The post on the forum referenced “a collection of 2000+ dehashed databases and Combos stored by topic” and provided a directory listing of 2,890 of the files.”
Certainly, a collection of records from over 2000 databases deserves the name “Collection #1”. This is what Hunt spotted.
According to Jacob Serpa, Product Marketing Manager, Bitglass, such an extensive record shows how several organizations failed at ensuring database security. As he told LHN,
“When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected. This recently uncovered cache of unique email addresses and passwords was aggregated from more than 2,000 hacked databases. This means that the organizations that were originally responsible for this information failed in their responsibility to secure it.”
Credential Stuffing – An Ongoing Risk
Credential stuffing has emerged as one of the easiest means to take over a number of accounts online. Despite several warnings and cyber threats, people still use the same email addresses and passwords on multiple websites. Thus, getting user credentials through one or more websites would eventually help the attackers get access to all the accounts of a user. That’s the reason why databases including email addresses and passwords have become so valuable for hackers.
While commenting about this MEGA data breach, Ruchika Mishra, Director Of Products And Solutions, Balbix, told LHN,
“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down. This information could be used for credential stuffing attacks which can harm businesses and individual users alike. Most enterprises today do not have the foresight and visibility into the hundreds of attack vectors that could be exploited, such as employees using credentials across personal and business accounts. ”
She further stated that passwords play a major role in such breaches and cyber attacks.
“Weak passwords, default passwords, password reuse, passwords stored incorrectly on disk, or transmitted in the clear on the network are all various flavors of the “Password Misuse Risk” attack vector and according to the Verizon Data Breach Report from 2017, more than 80% of breaches involve password issues at some stage of the breach.”
Fighting Breaches And Credential Thefts
Data breaches not only pose a risk for credential stuffing but also put sensitive personal and financial details at risk. Therefore, users must ensure they employ the best practices to maintain online security. Nonetheless, businesses and enterprises are also equally responsible to maintain adequate online security. They not only have to protect their own databases but also have to secure their employees and customers.
According to Jacob Serpa,
“Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are. Fortunately, security technologies like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure that enterprise data is truly safe.”
Besides, Ruchika Mishra also shared her thoughts about enterprise security.
“To best combat the chances of further breaches, organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”
Troy Hunt has uploaded this entire extensive database on his website talking about the breached email addresses and passwords. So, all of you may wish to check your email addresses and passwords for possible pwnage here.
This isn’t the first time that MEGA has made it to the news for cybersecurity threat. Earlier, some hackers targeted MEGA Chrome extension affecting 1.6 million users.