Blog, Events & News

The Largest Data Breach in History Exposes 773 Million Records

By Netacea / 23rd Jan 2019

The Largest Data Breach of all time comprising of 773 Million records

Organisations should prepare for a rise in credential stuffing and account takeover attacks

Last week thousands of people received an email from haveibeenpwned.com a free breach notification service run by security researcher Troy Hunt. The email was alerting them to the fact that an email and password combination they had previously used had been posted online as part of the “Collection #1” dataset.

Whilst a new breach appearing online may appear barely newsworthy these days, the fact this dataset contains 2,692,818,238 rows of data comprising of 1,160,253,228 unique username and password combinations certainly raises the bar. The fact that the dataset has clearly been collated from multiple sources over a number of years gives us an insight into scale the underground credential sharing market.

Even though several of the breaches in this dataset appear to be years old every breach, every posted username and password “combo” presents account takeover bots with new opportunities. Password reuse remains rife amongst end users, a survey by LastPass in 2018 found that although 91% of users claim to understand the risks of reusing passwords 59% did so anyway. This means that one organisations breach could lead to dozens of other organisations having their customers’ accounts hijacked leading to fraud, fines and financial pressures.

Many organisations will be on a state of high alert when a new mass credential breach is announced only to breathe a deep sigh of relief when they realise it is not their customer data. This relief is often short-lived as breaches present a challenge to almost any website or service that offers user accounts. There are obvious high-value targets such as bank and online shopping accounts but there are also more subtle ones such as loyalty point schemes which allow attackers to cash out.

Post-Data Breach Impact

A dataset of this scale being posted online means that there is now a frantic race between account takeover operations to take the usernames and passwords from this breach and use them to compromise accounts across thousands of other online services. There is a common misconception that only online retailers and banks are a target for account takeover attempts. With most sites holding some degree of personal information there is actually a wealth of information to be harvested. Starting with only username and password combinations an attacker may be able to quickly test these against thousands of online services to collect names, addresses, telephone numbers and dates of birth. This kind of information can then be used to commit more sophisticated fraud or access bank accounts.

To illustrate the diversity of the account takeover problem further we can look to the recently revealed flaws in the login process for the popular game Fortnite. Using a malicious link an attacker could steal a user’s authentication token and access personal data, make in-game purchases on the accounts credit card and listen in on conversations. Given the majority of the games users are children this is especially concerning.

Machine Learning Threat Detection

As we have discussed on the Evolving Threats blog, dealing with account takeover bots effectively remains a challenge for many organisations as they rely on a basic rules-based approach. When we look at the scale of the breach dataset, in this case, it is clear that there are going to be a wide variety of tools, tactics and procedures used by attackers to not only automate account takeover attempts but bypass traditional rules-based blocking. With multiple threat actors utilising sophisticated techniques the problem becomes impossible for humans and fixed rules to solve. This is why Netacea use adaptive machine learning with behavioural analysis to detect and prevent account takeover attacks that other solutions don’t even see.

If you want to learn more about our adaptive machine-learning approach and see how our approach can help protect your organisation against the next wave of account takeovers, talk to Netacea today and trial our solution to see how we defeat malicious bots on websites and mobile apps.