News 16 billion accounts exposed in one of the largest data breaches in history — enormous data haul holds two accounts for every human alive

The article said:
Another major security event acts as a stark reminder to regularly change passwords and login credentials.
If the leak came from a browser hack, then you'd want to make sure it's patched before changing your passwords. That's why I think it's important to see if we can get more info about it. I guess there's probably no harm in changing them twice, but simply changing them might provide a false sense of security.
 
  • Like
Reactions: Sluggotg
it should be a crime to not encrypt any and all data help by ANY company. CEO, head of IT/security, and anyone else making such decisions should spend lots and lots of time in jail for every breach of usable data.

there's just no excuse these days to have important/confidential data unencrypted during any storage phase.
Eh, it's such a large number and covering such a diverse range of service providers, some which take security rather seriously, that it's pretty clearly not a simple case of failing to take such basic steps in securing authentication data. That's why my thoughts immediately go towards a more fundamental exploit, like a browser hack.
 
Not quite related to passwords and such like, but stuff like this is why I never, ever save my card details or store any other financial things if I'm forced to buy something online. They almost all ask to 'make it quicker and easier in future'.

I think I'd rather take the extra minute to enter the details manually than risk some nefarious character getting hold of it just for the sake of convenience.
 
When users are requested to change they password reguarly they just a number to the old one.
(Secure) LOL.
 
Not quite related to passwords and such like, but stuff like this is why I never, ever save my card details or store any other financial things if I'm forced to buy something online. They almost all ask to 'make it quicker and easier in future'.

I think I'd rather take the extra minute to enter the details manually than risk some nefarious character getting hold of it just for the sake of convenience.
I do the same.

But it makes no difference when their system is compromised.
 
No need for databases and encryption,
just save the passwords in a textfile and use SHA-128.
(irony may occur)
 
A collection of entirely new data leak datasets has been uncovered by security researchers, exposing 16 billion new records to the public. The data was sourced from around the world, with breaches on this scale easily contributing to massive future attacks.

16 billion accounts exposed in one of the largest data breaches in history — enormous data haul holds two accounts for every human alive : Read more
At a base level set up all bank and cc accts to send a text/e-mail for all activity.
 
  • Like
Reactions: drajitsh
As with all mega security breaches, the 16B mystery leak serves as a loud reminder to practice clean internet hygiene by choosing secure passwords that are changed semi-regularly.

And it serves as a reminder to ensure you have 2FA enabled whenever possible. Heck, in 2025 it should be law that all financial institutions and any company who takes or makes payments to be required to have FIDO or authenticator app capability, given how insecure SMS 2FA is.
 
In India sms are good enough-- why ? Well if the doctrine is that sms is unhackable. So if someone inputs your sms OTP "YOU (the user) must have shared the OTP" thus it's you
YOUR fault.
OTP are transmitted in clear text, so you only need a packet sniffer in the vicinity of the mobile phone, so the onus is not on the user, but on the institution for using such a trivial breakable security measure. There is no doctrine in security.

Also if you are claiming that the user shared the OTP, then I'm happy to say, but you need to prove it, which you won't be able to. Otherwise is defamation of character (you are basically telling that the user lied - which may be another can of worms).
 
Last edited:
more fundamental exploit, like a browser hack...
That's approaching 20 breaches per Portuguese-speaking internet user on the planet!
For sure some kind of interface, transmission or supply chain attack. It will be interesting to see how long it takes AI to source it back. With all that metadata, it should actually [edit: NOT] take that long to see if it was a browser language pack, evil phone app, a malicious chip in cell-phone towers...
What a fabulious rabbit hole!!! I am so sad that i am not equipped to work on solving the issue.
I guess, that is what conspiracy theories are for :-D
I'm sure someone is already writing the netflx series script..
 
Last edited:
  • Like
Reactions: bit_user
And it serves as a reminder to ensure you have 2FA enabled whenever possible. Heck, in 2025 it should be law that all financial institutions and any company who takes or makes payments to be required to have FIDO or authenticator app capability, given how insecure SMS 2FA is.
Passkeys. So far as we know, they haven’t been man-in- the- middled yet, not even sure if it’s possible.
 
This 'breach' kinda smells like the account login table for a network of bot farms.
It would be telling, if we knew more details about which sites were affected. If they all turn out to be social media sites, then sure. However, if there are some sites where it wouldn't make sense to use bots, then probably it's something else.
 
It would be telling, if we knew more details about which sites were affected. If they all turn out to be social media sites, then sure. However, if there are some sites where it wouldn't make sense to use bots, then probably it's something else.
The social media accounts still need accounts with gmail, X, Bluesky, Grindr...
 
OTP are transmitted in clear text, so you only need a packet sniffer in the vicinity of the mobile phone, so the onus is not on the user, but on the institution for using such a trivial breakable security measure. There is no doctrine in security.

Also if you are claiming that the user shared the OTP, then I'm happy to say, but you need to prove it, which you won't be able to. Otherwise is defamation of character (you are basically telling that the user lied - which may be another can of worms).
I know all that.
Tom's Hardware first reported sms hijacking in 2016 (I think).
It has reported on this several times since.
Veritasium even did a long video with LTT playing the "victim".
It is not about known vulnerabilities. It is about holding people accountable.
 
Passkeys. So far as we know, they haven’t been man-in- the- middled yet, not even sure if it’s possible.

Passkeys are great, but especially when it comes to desktops they could be quite insecure if the user does not use a FIDO key and secure PIN (not their birthday, for example) as knowing that Windows Hello PIN is as good as a master key.
 
Last edited:
it should be a crime to not encrypt any and all data help by ANY company. CEO, head of IT/security, and anyone else making such decisions should spend lots and lots of time in jail for every breach of usable data.

there's just no excuse these days to have important/confidential data unencrypted during any storage phase.

What makes you believe this data wasn't encrypted? Just because data is encrypted at rest doesn't mean it can't be decrypted or otherwise accessed... It likely was.

Why passwords weren't hashed using a one way algorithm is a different story. Likely has to do with accounts being used by email systems and other replications which tend to have to support multiple systems including challenge-response which can't be hashed ahead of time.
..
 
  • Like
Reactions: bit_user