We're in the middle of the age of the mega leak.
Data is spilling everywhere and in batches of record size. Take last week's revelation from cybersecurity researcher Troy Hunt of a leak, dubbed Collection #1, affecting as many as 770 million people, including more than 20 million passwords in plain text. For Hunt, whose altruistic mission in recent years has been collecting and alerting the public to such data leaks, it was an unprecedented haul.
But, despite those epic numbers, consider this: there's evidence the same hackers who've been passing round that info trove have an awful lot more.
Alex Holden, who runs Hold Security, showed Forbes a post on a hacker forum where a link to a Collection #1 leak was shared (the amount of info within, 87GB, was the same as that retrieved by Hunt). Revealed in a post from January 7, it came in an advertisement from a hacker named Sanix and included another four numbered collections up to #5.
Then there are another two databases totalling nearly 130GB, taking the full amount to 993.36GB of personal information. Lifetime access to all that data was just $45 (but keep in mind there are a lot of scammers hanging around the web's underbelly — a lot of that data could be useless).
Sanix wasn't the only one who was offering what appeared to be Collection #1 through #5. Another, named Oxa, posted an ad online in November last year offering 500GB of emails and passwords for $65. Oxa then provided a link to Imgur hosting images of the five collections on the Mega storage service. The image of Collection #1 matches that posted by Hunt.
Data thief fracas
How did the data get out into the public and into Hunt's hands? It appears the seller may've annoyed a buyer.
Yet another post on a hacker forum came from a character called Azatej. Alongside an image of the Sanix advertisement, Azatej took responsibility for leaking the information. "I leaked whole of it because seller shared my infinity black combos in that storage," Azatej wrote.
Infinity Black is another site for sharing stolen data. Combos are username and password combinations. So it appears Azatej saw their stolen information being resold by Sanix and decided to take revenge.
No need to panic
Whilst such megaleaks might appear concerning, thanks to those huge numbers, but in this case there's no reason to feel like the sky is falling. As the Azatej leak indicated, much of the information came from old breaches and there's little indication so far that data from fresh attacks made its way into the database.
Azatej and other frequenters of hacking forums were dismissive of Collection #1. "This data is kinda useless for targeted cracking, just a huge shittery for dumb cracking," Azatej wrote. Hackers on RaidForum were largely unimpressed by Collection #1 too.
Holden claimed his team had seen the same data first posted online several months ago and matched 99.2% of unique records to info that had been leaked before. "The remainder was nearly all 'bad data,' either manufactured or in bad format," he said.
Nevertheless, the data could still be a major threat if phishing scammers get their hands on it. Blackmailers could stand to benefit too.
In recent months, a spate of phishing attacks saw extorters claiming to know individuals had been on pornography sites and sent them a previously-leaked password as ostensible proof. The swindlers then said they'd release information on the victim's porn viewing habits unless they paid up, even though the scammer never actually had any evidence of the target's online activities. As of July last year, on of the the so-called sextortionists had made $250,000 in Bitcoin.
"I'm kind of amazed by how much data is out there in this set of collections and how quickly it reproduces. Given the impact on people in there. It's shocking," Hunt told Forbes.
Anyone who hasn't changed their password for any online account may also be at risk. As always, good online hygiene can help. The occasional password refresh is just one preventative measure against account theft, as is the use of a password manager to help create strong and varied credentials across sites.