Recently, the cybersecurity community has been buzzing with talk about the Mother of All Breaches (referred to as the MOAB), an enormous compilation of leaked credentials. This compilation, numbering around 26 billion records, contains data from a number of historic breaches, including LinkedIn, X, Tencent, Weibo, and more. The original story posted by CyberNews contains more details, but is this something you should really be concerned about? Let’s take a look at the bigger picture.
There will be a lot of commentary and buzz around the big names in the leak, but the truth of the matter is that this should really be considered the “Mother of All Database Joins” rather than one massive new leak. While there is very likely new data in the leak, given the scope of the content, a tremendous amount of the data is simply old leak data combined into one massive compilation. While you shouldn’t dismiss this breach out of hand, we can take a reasonable approach to the question of what should we do?
It’s important to understand that threat actors use data leaked in compromises to perform credential stuffing attacks – these are attacks where combinations of usernames and passwords that have been exposed by Site A are tested against other websites for validity. These attacks operate on the assumption that people use the same password for multiple websites, which is common. Many times, credential stuffing attacks are very effective and can lead to serious additional compromises. More so than direct attacks on a person, compilations of compromised credentials give attackers a large resource to pull from when conducting credential stuffing attacks against a wide swath of targets.
In terms of how you should respond to news stories like the MOAB, these tips can help protect against attacks using data from these leaks.
- Enable multifactor authentication (MFA) wherever you can. As exemplified by the compromise of Microsoft by Russia-aligned actors, even state-sponsored threats use credential stuffing. Using MFA to protect accounts (not just critical accounts, but all accounts) can help slow down and even prevent basic attacks like credential stuffing.
- Use unique passwords to protect accounts. Password managers make this very easy. By using unique passwords to protect accounts, you will lessen the impact when an account’s credentials get leaked, as that password will only be valid for that account. Credential stuffing attacks rely on people re-using passwords, so by limiting the usefulness of the password, you can reduce the efficacy of attacks on other accounts.
- Use physical security keys, if available. By using a physical security key, you can nearly eliminate the chance for an account takeover.
- Understand your presence on the dark web. While the dark web is not as intimidating as it seems, data leaks are often sold and re-sold on the Dark Web, where threat actors use them as a primary resource for conducting credential stuffing attacks. By understanding what data has been leaked on the dark web, you can understand what accounts have been compromised and secure them before you become a victim.
It’s important to remember that you will have credentials leaked at some point – it is just the nature of having even a small online presence. By taking a proactive approach to protecting yourself, you can reduce the impact of data leaks like the MOAB.
Written By:
Nick Hyatt
Director of Threat Intelligence
Nick Hyatt has extensive expertise in technology, support, and information security, with experience spanning small businesses to Fortune 500 companies across various industries. He has a deep understanding and practical experience in incident response, threat intelligence, digital forensics, and malware analysis. His hands-on skills encompass malware forensics, data mapping, threat hunting, and e-discovery in diverse environments.
Connect with Nick on LinkedIn.