The Mother of All Data Breaches: Why It’s Worse Than All the Others

The Mother of All Data Breaches: Why It’s Worse Than All the Others

It seems like every other day, there’s news of a new data breach hitting the news. It’s so common that we’ve become largely desensitized to it; after all, this has been going on for years, and despite a lot of handwringing, nothing bad really seems to happen to most people. However, this breach, which has already been called “the mother of all data breaches,” promises to bring a lot of heartache and trouble to impacted people, and there are a LOT of them.

Old News

To understand why, we need to look at exactly what this is, and it might be shocking to find out that nothing in this breach is, in fact, new. Some enterprising data scientist-turned-hacker collected as much information as they could from all the previous public data breaches and combined it into one mega-breach database, consisting of over 26 BILLION records. Breaches from companies like LinkedIn, Twitter, Weibo, Tencent, MySpace, Zynga, and X (you can tell from some of those names that they went back quite a long way! I bet you haven’t checked on your farm in FarmVille for a long time…) Now, the most shocking news coming from that statement might be that some of these websites still exist, but the second most shocking thing is the sheer scope of the breach. The dirty reality of cybercrime is that for all the fancy hacks you read about, like acoustic attacks where listening to the keys you type might reveal a password or the rise of AI in cyber-attacks, the number one way a hacker gets into anything is via compromised credentials. And the way credentials get compromised is because we simply don’t take cyber security seriously enough. In one survey by LastPass, 91% of people surveyed acknowledged that re-using passwords is bad; 66% of them do it anyway. The most common password in 2024 is 123456. It’s not a huge shock that passwords remain the weakest link in the chain.

The Problem in the Patterns

Here’s what makes the mother of all breaches so bad: the ability to correlate login data. A hacker who has bought access to this massive database can pick an e-mail, any e-mail, and query every record containing that e-mail and see the associated password for each service. So, let’s say you’ve had your e-mail, llamas@gmail.com, since the days when MySpace was cool and your beloved cat, Dr. Whiskers, was just a kitten. A hacker would see something like this:

You see the issue there – even though the passwords themselves aren’t inherently insecure (they’re long, alpha-numeric, and have special characters), they’re re-used in a similar enough way to give the hackers a massive clue as to how to get into your account. Now, they have options.

Credential Stuffing

23andMe drew some fire when they blamed their recent hack on users re-using passwords, but they weren’t wrong – it was a simple credential stuffing hack – when hackers try previously leaked username/password combinations in an attempt to find one that works. Users who had opted to share their information via the DNA Relatives feature opened up the door for other accounts’ information to be breached as well.

Attacker in the Middle

 The second option employed by the hackers is far more concerning because of how difficult it is to detect. Commonly known as Attacker in the Middle, or AiTM, this involves setting up a fake site to resemble a legit bank. The attacker then sends out a targeted phishing e-mail campaign with the goal of getting you to enter your credentials and intercepting the one-time passcode you get from your bank:  Last year, researchers at Microsoft uncovered a massive AiTM attack targeted at financial institutions; and of course, it all started with a phishing campaign designed to get credentials.

So, What Can We Do?

First and foremost, stop re-using your passwords. With the proliferation of password managers, having strong, unique passwords for everything is much easier. From a personal standpoint, you must make sure all your passwords are unique – especially your e-mail passwords.  If someone hacks into your e-mail, they can use that to do a lot more damage (like changing the passwords on all your other accounts!) More and more companies are allowing some form of multi-factor authentication for personal services – turn that on whenever possible. And don’t ever mix work and personal functions on your devices – both Cisco and Okta were hacked via an employee’s personal Gmail account. Even though it wasn’t anything the employee did deliberately, they probably didn’t have a good day when that was discovered. From a business standpoint, get rid of the passwords altogether and implement certificate-based authentication.  It’s several orders of magnitude more secure than any other MFA/password combo, and actually provides a better user experience since the user doesn’t have to enter anything – authentication is handled when the device presents a certificate.    And one more time, louder for those in the back…STOP. REUSING. YOUR. PASSWORDS!!!!