The MEGA Breach Lottery Jackpot: 773 Million Records

It’s like announcing the lottery jackpot with each ensuing breach report exceeding previous totals; but here the only winners are the bad actors accessing the stash of some 773 million records.

A compilation of 772,904,991 unique email addresses and more than 21 million unique passwords were collected from over 2,000 leaked databases and recently revealed by Troy Hunt, the security researcher who maintains HaveIBeenPwned. The records were warehoused on a popular cloud storage site, MEGA, until taken down, and then on a public hacking site. The information was not even offered for sale; it was available for anyone to take.

“Many people will land on this page after learning that their email address has appeared in a data breach I’ve called ‘Collection #1.’ Most of them won’t have a tech background or be familiar with the concept of credential stuffing so I’m going to write this post for the masses and link out more detailed material for those who want to go deeper,” Hunt wrote in his blog.

Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows. “It’s made up of many different individual data breaches from literally thousands of different sources,” Hunt added. In total, 1,160,253,228 unique combinations of email addresses and passwords were exposed. The unique email addresses totaled 772,904,991. There are 21,222,975 unique passwords. The collection total included over 12,000 separate files and more than 87 GB of data.

Bill Evans, vice president at One Identity warned, “If you were on the fence as to whether *your* account has been part of any breach, you now have your answer. Yes, it has.”

Carl Wright, chief compliance officer, AttackIQ, put the collection in perspective. “In terms of volume, this leak is second only to Yahoo’s 2013 data breach that compromised 3 billion accounts.” Wright added, “This immense exposure of unique combinations of email addresses and passwords can unfortunately be used by threat actors for the purposes of credential stuffing, which is the automated injection of compromised username and password combinations to gain unauthorized access to user accounts. And since so many individuals use the same passwords for numerous accounts, this approach is quite often successful.”

Ruchika Mishra, director of products and solutions, Balbix, said, “In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down.”

Mishra added this information could be used for credential stuffing attacks which can harm businesses and individual users alike. “Most enterprises today do not have the foresight and visibility into the hundreds of attack vectors that could be exploited, such as employees using credentials across personal and business accounts.” Mishra also maintained weak passwords, default passwords, password reuse, passwords stored incorrectly on disk, or transmitted in the clear on the network are all various flavors of the “Password Misuse Risk” attack vector and according to the Verizon Data Breach Report from 2017, more than 80% of breaches involve password issues at some stage of the breach.

“To best combat the chances of further breaches, organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches,” Mishra suggested.

Jacob Serpa, product marketing manager, Bitglass, noted, “When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected.” Serpa also noted this cache was aggregated from more than 2,000 hacked databases. “This means that the organizations that were originally responsible for this information failed in their responsibility to secure it.”

Serpa explained leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords. “Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are.” Serpa said security technologies like data loss prevention, multi-factor authentication, user and entity behavior analytics, and encryption of data at rest can help ensure that enterprise data is truly safe.

Wright pointed out for individuals who want to mitigate the chances of any of their accounts being compromised, there are a few steps to take. First, never reuse passwords. Instead, get a password manager to help keep track of all your different account passwords. Additionally, enable app-based two-factor authentication whenever possible. “For organizations, it is always far more efficient to continuously validate your current security measures rather than recovering from a breach of company or user data. Cybercriminals can wreak as much havoc easier than ever, especially since the attack surface is larger today than it has ever been.”

Evans listed the four basics of mitigating the risk of such a breach, which are roughly the same for organizations as they are for individuals:

1. Use multi-factor authentication.  For individuals, if your financial institutions offers it, enable it.  If your financial institution does not offer it, change financial institutions. “For enterprises, you should enable it for all users.  You must enable it for your superuser accounts/privileged accounts.”
2. Education. “In order to protect your individual assets, you must stay abreast of your cybersecurity options. Enterprises must educate their users of the importance of cybersecurity. While not the most glamorous or exciting of activities, it has to be done, just like cutting the lawn or paying your bills.”
3. Privileged access management. Largely for enterprises, steps must be taken to protect the most valuable of assets.
4. Governance. “Again, for enterprises, this is about ensuring the right people have the right access to the right stuff at the right time.” For end users, make sure to use different passwords for each account and change them often.