ALL Apple, Facebook and Google users are being told to change their passwords right now – after a colossal leak exposed as many as 16 billion logins.
It’s being called one of the largest data breaches in history, giving hackers “unprecedented access” to your personal info and online accounts, experts warn.
5
5
5
Worryingly, this isn’t just old info that’s been repackaged, but is “recent” data belonging to unsuspecting victims, according to CyberNews.
The shocking invasion of privacy has been branded a “blueprint for mass exploitation”.
Logins for Instagram, Microsoft, Netflix, PayPal, Roblox, Discord, Telegram, GitHub and various government services in more than 29 countries, including the UK and US, have also been affected.
Crooks can use this deeply private info to carry out bank-raiding scams, fraud, spam attacks and more.
Security pros at CyberNews uncovered the trove of 16 billion datasets with vague names like ‘logins’ or ‘credentials,’ making it hard for the team to work out exactly what info they contained.
THE REAL STEAL
There’s no suggestion that any of these apps were breached or hacked themselves, however.
The records were most likely pulled together by cyber crooks using “infostealer” malware.
That’s a sinister type of computer program that breaches computer systems to steal your login details, financial details, and other personal info.
It can infect devices belonging to regular users, scooping up their info. Maybe you clicked a suspicious link or downloaded a dodgy app – and then an infostealer ran riot on your system, silently collecting hundreds of log-ins.
And this info can then be dumped into a massive database that is valuable to cybercriminals.
CASH ME IF YOU CAN
Cybercriminals often pay big sums of money for a haul like this, as it allows them to target large numbers of victims quickly.
But it’s also possible that the data was scooped up by “white hat” hackers – ethical computer whizzes trying to hunt down security problems.
A staggering number of individuals likely had at least some of their accounts compromised, which means they are now more vulnerable to cyber attacks.
Cybercriminals now have “unprecedented access” to personal credentials and could exploit them for account takeovers, identity theft and targeted phishing attacks, the report by CyberNews wrote.
5
“This is not just a leak – it’s a blueprint for mass exploitation,” researchers said in their report.
“With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.
“What’s especially concerning is the structure and recency of these datasets – these aren’t just old breaches being recycled.
“This is fresh, weaponisable intelligence at scale.”
DON’T PANIC – BUT ACT FAST
Here’s advice from The Sun’s tech editor Sean Keach…
This is a massive breach of privacy – it’s not the first, and it won’t be the last.
There’s no surefire way for you to avoid being caught up in an attack like this, and you can’t take back the info now it’s out there.
But what you can do is safeguard yourself against sinister crooks using this info against you.
Step 1
The main fear here is that criminals have bagged a load of passwords.
That’s why you need to switch on two-factor authentication on every account that you have.
Normally that’s a login code that is sent to you via SMS text.
They prevent crooks from logging into your account even if they know your password.
Step 2
Even better, don’t bother with SMS and use a proper authenticator – like the Google Authenticator, a free app that you can download right now.
This generates the same kind of log-in code, but it’s safer than SMS, which is an old and more easily-hacked system.
Step 3
Also, make absolutely sure that you’re not re-using passwords anywhere.
If crooks have one password and you’ve re-used it, they now have access to several of your accounts.
Use a password manager like your iPhone’s iCloud Keychain or the Google Password Manager.
They will generate strong and unique passwords for all of your accounts – and then remember them so you don’t have to.
Picture Credit: Sean Keach
URGENT ACTION
Within the widescale data breach, Cybernews noted that its researchers identified a database of 184million records that were previously uncovered by security researcher, Jeremiah Fowler, in May.
A sample of 10,000 stolen accounts showed 220 email addresses with .gov domains, linking them to dozens of countries such as the UK, US, Australia, Canada, China, India, Israel and Saudi Arabia, according to Fowler.
In total, Fowler discovered 47 gigabytes of data with sensitive information for accounts across various social media, gaming and streaming sites.
“The inclusion of both old and recent infostealer logs – often with tokens, cookies, and metadata – makes this data particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices,” the team said.
It is unclear who owns the leaked data.
Change your passwords, enable 2FA, if it is not yet enabled, and closely monitor your accounts
Aras Nazarovas
While it could be security researchers that compile data to monitor leaks, CyberNews warned that it is “virtually guaranteed” that some of the logins were owned by cybercriminals.
According to CyberNews researcher Aras Nazarovas, web users should change their passwords and enable two-factor authentication (2FA) on all their accounts.
“Some of the exposed datasets included information such as cookies and session tokens, which makes the mitigation of such exposure more difficult,” he said.
“These cookies can often be used to bypass 2FA methods, and not all services reset these cookies after changing the account password.
“Best bet in this case is to change your passwords, enable 2FA, if it is not yet enabled, closely monitor your accounts, and contact customer support if suspicious activity is detected.”
Cookies and session tokens give crooks the ability to use your account as if they were already logged in.
That’s because they’re skipping the log-in stage, tricking apps and websites into thinking they’d logged in already with an active session.
That is why experts are warning users to change their passwords and monitor their accounts, as this can lock out crooks trying to use this trick.
KEY TO ENTRY
Niall McConachie, UK director of web security firm Yubico, said the data breach shows “passwords are just not good enough” anymore.
Instead, people should use passkeys – a passwordless login method which is supposed to be more secure.
WHAT ARE PASSKEYS?
Passkeys are the newer, safer passwords, according to tech companies and security experts.
They allow you to log into your accounts using biometrics like your fingerprint or face scan.
You can even use your phone’s passcode.
To sign into a website or app on your phone, all you need to do is unlock your phone.
This also works for websites on PCs and laptops.
If you’re trying to sign into a website on your computer, you just need your phone nearby.
You will be prompted to unlock your phone when trying to log into an account on your computer, which will then grant you access on the PC.
By using unique credentials tied to your phone or other devices, you make your accounts more resistant to phishing and other password-based attacks.
Facebook just recently adopted passkeys as a safer alternative to passwords, but companies like Google and Apple have had them for a while.
“By continuing to rely on passwords, huge data breaches like this will persist – and they’ll only get worse,” added McConachie.
“Device-bound passkey options… manage logins across all users’ platforms and devices and offer the highest level of security.
“They are resistant to phishing attempts and can’t be intercepted or stolen by remote attackers, meaning only the key holder can gain access to their accounts.”
5
How to spot a dodgy app
Detecting a malicious app before you hit the ‘Download’ button is easy when you know the signs.
Follow this eight-point checklist when you’re downloading an app you’re unsure about:
- Check the reviews – be wary of both complaints and uniformly positive reviews by fake accounts.
- Look out for grammar mistakes – legitimate app developers won’t have typos or errors in their app descriptions.
- Check the number of downloads – avoid apps with only several thousand downloads, as it could be fake.
- Research the developer – do they have a good reputation? Or, are totally fake?
- Check the release date – a recent release date paired with a high number of downloads is usually bad news.
- Review the permission agreement – this agreement gives permission for the app to take bits of your data, and fake apps often ask for additional data that is not necessary.
- Check the update frequency – an app that is updated too frequently is usually indicative of security vulnerabilities.
- Check the icon – look closely, and don’t be deceived by distorted, lower-quality versions the icons from legitimate apps.
All of this information will available in both Apple’s App Store and the Google Play Store.
