By Roy Urrico
Finopotamus aims to highlight white papers, surveys, analyses and reports that provide a glimpse as to what is taking place and/or impacting credit unions and other organizations in the financial services industry.
A pair of recent reports focused on data breaches from a threat and protection perspective.
Twenty-six Billion Records Exposed
Bob Dyachenko, a cybersecurity researcher and owner at SecurityDiscovery.com, together with Cybernews, reported on the discovery of a massive data exposure – called the “Mother of all Breaches” (MOAB) – comprising 12 terabytes of information, covering over 26 billion records. The detection includes billions of unprotected records from thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases.
MOAB, as reported in Cybernews, contains over 3,800 folders, with each corresponding to a separate data breach. “While this doesn’t mean that the difference between the two automatically translates to previously unpublished data, billions of new records point to a very high probability, the MOAB contains never seen before information.”
Researchers believe that the owner of the MOAB has a vested interest in storing large amounts of data and, therefore, could be a malicious actor, data broker, or some service that works with large amounts of data. “The dataset is extremely dangerous as threat actors could leverage the aggregated data for a wide range of attacks, including identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts,” the researchers said.
The researchers also noted the leaked data contains far more information than just credentials – most of the exposed data is sensitive and, therefore, valuable for malicious actors. They revealed the largest number of records, 1.4 billion, from Tencent QQ, a Chinese instant messaging app.
However, there are also supposedly records from Weibo (504 million), a Chinese microblogging website; Myspace (360 million); Twitter/X (281 million); Deezer (258 million), a French music streaming service; LinkedIn (251 million); AdultFriendFinder (220 million); Adobe (153 million); Canva (143 million), an online graphic design app; VK (101 million), a Russian online social media service; Dailymotion (86M), a French video-sharing technology platform; Dropbox (69 million), Telegram (41 million), and many other organizations. The leak also includes records of various government organizations in the U.S., Brazil, Germany, the Philippines, Turkey, and other countries.
According to the researchers, the consumer impact of MOAB could be unprecedented. “Since many people reuse usernames and passwords, malicious actors could embark on a tsunami of credential-stuffing attacks. If users use the same passwords for their Netflix account as they do for their Gmail account, attackers can use this to pivot towards other, more sensitive accounts.”
This can be especially dangerous for those who use the same password across different accounts. “If a hacker knows an email and password combination on Netflix, for example, they might logically start with that combination in an attempt to gain access to more sensitive data, such as getting access to e-mail and banking accounts,” cautioned the researchers.
Jim Van Dyke, senior principal and head of innovation at Chicago-based information and insights company TransUnion, who has served as an expert witness in some of the nation’s largest data breach litigation cases weighed in on MOAB.
Van Dyke told Finopotamus: “The MOAB breach, when considered by its sheer size, makes alarming news for consumers. While it is never good for consumers’ personal information to be exposed, it is important to note that the information in this leak appears to have been compiled from previously breached information. While there may still be more to come, if an individual took action after first being made aware they were impacted by a data breach, they can have peace of mind that they have already taken the most important steps to protect themselves.”
Van Dyke added this emerging situation underscores the importance of providing consumers with good information when a breach occurs. This includes timely notification, an understanding of the information exposed, and the most beneficial protective actions.
“Given that MOAB broadly heightens the risk environment, consumers would be wise to maximize safety tools from their primary financial providers, monitor their personal information, remain vigilant over credit and financial accounts, and be wary of the potential for phishing or social engineering scams,” Van Dyke said.
Survey: Most U.S. Adults Understand Data Compromise Risks, Few Take Protective Steps
Americans largely understand the risks of using the internet – identity theft, spam, phishing, loss of personal or financial information, and more. Yet a relatively small percentage are taking steps recommended by experts to protect their data, such as using password managers to set strong passwords or pursuing credit monitoring after a breach. Those are some of the findings from U.S. News & World Report's 360 Reviews’ consumer research on digital privacy matters in the U.S.
U.S. News surveyed 1,200 U.S. adults on ways they attempt to keep their personal data safe, their personal experiences with data breaches, their fears related to cyberattacks and more.
“360 Reviews’ latest digital privacy research indicates that while a majority of U.S. adults have been victims of data breaches, most (80%) still say they would be able to recognize a phishing email and many (42%) don’t believe they have ever clicked a link in a phishing email,” said Jeff Kinney, senior technology editor, 360 Reviews. “This suggests most Americans could still greatly benefit from data privacy best practices.”
Additional survey highlights include:
Sixty-one percent of respondents received personal identifiable information (PII) compromise notification — with 44% seeing their multiple compromise notifications.
Sixty-five percent of surveyed U.S. adults worry about cyberattacks in 2024.
Thirty-seven percent of respondents said they received notification of a personal data breach/compromised at least once in 2023.
Eighty precent feel confident that they would be able to recognize a phishing email, with 33% feeling very confident; 20% do not feel confident that they would recognize a phishing email.
Thirty-five percent of those surveyed said they have accidentally clicked on a link in a phishing email, while 42% do not believe they have.
More than one in three (37%) U.S. adults received notification of compromised personal data at least once in 2023. Among those who reported their compromised personal data, 41% signed up for the free credit monitoring services offered.
Nearly half (48%) feel confident that a subscription password manager app can keep their personal data safe.
More than half (55%) believe it is possible to avoid being a victim of a data breach.