Reports of a potential mother lode of passwords floating around the Web is a timely reminder we need to leave them behind, says Jason Walsh
Blogs
Image: Shutterstock via Dennis
Security researchers have spoken out about what they call “one of the largest data breaches in history”, comprising some 16 billion login credentials apparently collected by ‘infostealer’ malware.
According to a report published by Cybernews, researchers have discovered 30 datasets, each containing up to 3.5 billion login records ranging from social media accounts to virtual private networks (VPNs) and government services.
“This is not just a leak – it’s a blueprint for mass exploitation,” the researchers told Cybernews.
Terrifying stuff.
Terrifying stuff, if accurate, because the exposure of more than 16 billion login credentials gives malicious actors an extraordinary opportunity to wreak havoc.
Curiously, however, there is a distinct lack of authoritative reporting on the breach, and much of the reporting that I have been able to read is clearly written by non-expert journalists working the online news hamster wheel shift (this is not an insult; I myself have had the misfortune to work such jobs, including at major media organisations).
Reports published by the online arms of UK tabloids are effectively rewrites of the original Cybernews report, while another in The Independent asks “16 billion passwords from Apple, Facebook, Google and more leaked. Why has no one heard of it?” – and then completely fails to answer the question.
Meanwhile, a report published by BleepingComputer.com, claims that there was no breach per se, and that what was uncovered “appears to be a compilation of previously leaked credentials”.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials. Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cyber security firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
This is actually the most reasonable explanation I have read so far – and it also raises uncomfortable questions about how quickly unverified claims can dominate the news cycle when they sound sufficiently alarming.
What can you do?
What can be said for certain, though, is that cyber crime is out of control. Users have, naturally enough, been asking what they can do in the face of this and other reports of breaches.
The first thing is to get your passwords in order, ensuring you use a different password for every service and, consequently, a password manager to keep track of these passwords and enter them for you.
This alone is not quite enough, though, as devices compromised by infostealer malware can have info stolen again. Important services should also be supported by multi-factor authentication (MFA), in the form of Microsoft Authenticator or Google Authenticator.
Online banking and other financial services, meanwhile, should already offer their own MFA – preferably not using SMS, as text messages are inherently insecure.
It really is time to say goodbye to passwords altogether, though, and transition to passkeys – cryptographic credentials that are stored securely on your device and can’t be phished, stolen in data breaches, or reused across sites.
Additionally – and, frankly, this is my preferred option – we could tell businesses and government agencies that we are sick, sore and tired of breaches, and of sticking plaster remedies, and that you would quite like to see so-called ‘digital transformation’ halted and replaced with in-person services staffed by actual humans.
The relentless push toward digital-first services results in security trade-offs: every online account is a potential breach waiting to happen, and returning to in-person services for sensitive transactions would eliminate much of this risk entirely. It’s a radical suggestion, perhaps, but one worth considering given the scale of the problem.
