The story about 16 billion new passwords leaking turned out to be less than accurate.
A news story circulating today suggests that a brand new data leak has hit with 16 billion passwords compromised. The leak was also described as “record breaking”. The problem, the data isn’t actually new, but rather, data sets from multiple different leaks and breaches in the past.
The story was credited to CyberNews which described the “leak” as follows:
- The largest data breach in history involves 16 billion login credentials
- The records are scattered across 30 different databases, and some records are or might be overlapping
- The data most likely comes from various infostealers
- The data is recent, not merely recycled from old breaches
- Cybercriminals now have unprecedented access to personal credentials and could exploit them for account takeovers, identity theft, and targeted phishing attacks
It’s pretty scary stuff to see appear in the news. Unsurprisingly, such big claims made it into the news all over the place as that is potentially a big story.
Apple, Facebook, Google Involved In 16 Billion Password Leak – What It Could Mean (IBTimes)
16 Billion Apple, Facebook, Google And Other Passwords Leaked — Act Now (Forbes)
Massive leak of 16 billion passwords affecting Apple, Google and Facebook users. What to know (National Post)
Data breach compilation lists 16 billion compromised passwords (Axios)
16 billion login credentials have been leaked online, cybersecurity researchers say (Globe and Mail)
16 Billion Logins Stolen In One of Largest Data Breaches: What To Do Now (Newsweek)
16 billion login credentials from Google and other sites leaked online, report says (CBS)
A staggering 16 billion passwords just leaked. Here’s the real danger (PCWorld)
The common problem with all of these stories? They are all wrong. So what really happened?
One thing that has been known in the security community for a while is the fact that stolen credentials are often packed into one giant package and sold off as a huge trove. They are the results of numerous leaks and breaches, no9t one giant leak. Sometimes, what happens is that this gets reported as a brand new leak when, in fact, it’s just a repackaging of of older leaked and stolen data. That apparently was the case according to Bleeping Computers:
News broke today about “one of the largest data breaches in history,” sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
The only way a 16 billion password leak could happen is if the large platforms mentioned in these reports had a common way of storing such information. That would be… rather surprising and unlikely. Unfortunately, many outlets simply took the “leak” report at face value and reported it as if everything was accurate.
To be fair, security of people’s personal information have long been a notoriously bad problem. This with companies hiding hacks and leaks while other people individually end up compromising themselves somewhere along the line due to poor security practices. So, that’s what makes it very possible to stockpile 16 billion passwords in the first place. It’s a major problem that has been a huge source of evidence of why privacy reform is necessary.
Still, that doesn’t change the fact that this isn’t a new leak of some kind. As a result, this is just another botched story by major media outlets.
