What Security Leaders Need to Know About the ‘Mother of All Breaches’

A leak of 26 billion records earned the title of “Mother of All Breaches” (MOAB) and widespread attention. Bob Diachenko, cofounder and cyber threat intelligence director at Security Discovery, a cybersecurity news and consulting services company, and the team at Cybernews first discovered the leak.

How did this staggering number of records get exposed, and what do CIOs, CISOs, and other security leaders need to know about MOAB?

The Breach

The 26 billion records involved in this leak include data from past breaches and likely some new data that was not previously exposed. The dataset includes breaches, re-indexed leaks, and privately sold databases, Cybernews reports.

The owner of the dataset was initially unknown, but Leak-Lookup has since come forward. The data breach search engine posted on X that the leak was the result a firewall misconfiguration, which it has fixed. A day later, it posted an update sharing that initial access was gained due to a misconfigured server, beginning in December.

SecurityDiscovery regularly analyzes data from search engines. “We pay special attention to the misconfigured noSQL databases and Elasticsearch instances,” Diachenko tells InformationWeek. “We analyze them based on the size, based on the keywords, and other data that might lead us to uncovering some sensitive data that should not be exposed.”

Related:Tesla Insider Data Breach Exposed Over 75,000

MOAB contained a total of 4,145 datasets, and of those datasets, 1,448 have more than 100,000 records, according to an update Diachenko shared on X.

“Of course, most of them, or some of them, are definitely duplicate, but still, having such a thorough and structured collection under one roof is mind-breaking,” says Diachenko.

MOAB includes leaked data from companies like LinkedIn, Adobe, Dropbox, Telegram, and X, among many others. The leaked data also includes records from government organizations in the United States and other countries, according to Cybernews.

The Potential Impact

The information exposed in MOAB has the potential to be weaponized for future attacks. “A lot of the malware, a lot of the information stealers, will collect passwords or credit card information or bank details or things that would be in a data breach like … MOAB as an example, [which] could then really later be used for social engineering,” says John Hammond, principal security researcher at managed cybersecurity platform Huntress.

The sheer volume of data leaked in MOAB could make it easier for threat actors to execute more convincing social engineering attacks. “They know so much about you now,” Lisa Plaggemier, executive director at National Cybersecurity Alliance, a cybersecurity awareness and education nonprofit, says. “It makes it easier for them to sound incredibly convincing in a phishing email or a text.”

Related:Damage Control: Addressing Reputational Harm After a Data Breach

That capability could be compounded by the rapid improvement in deepfakes, according to Plaggemier. “It is really hard to tell the difference, whether it's audio or video,” she says. “You marry that together with all the information in this breach, and then I think the quality of social engineering attacks is going to in increase.”

Security teams will need to consider if their enterprises’ data or customers’ data was exposed in MOAB. Even if an organization’s information caught up in MOAB was from a previous breach, it could be a good idea to consider potential risk.

Crystal Morin, a cybersecurity strategist at cloud security company Sysdig, recommends communicating with end users. “It doesn't hurt to send a friendly reminder, ‘Hey, guess what? This Mother of All Breaches happened, and the data that was previously exposed has resurfaced.’”

It is also vital to consider how previous breaches happened. “Make sure that these vulnerabilities or misconfigurations that were taken advantage of a year plus prior were actually mitigated and are no longer an issue,” says Morin.

Related:Massive Okta Breach: What CISOs Should Know

MOAB serves as a reminder to organizations to evaluate their security and proactively work to prevent future breaches.

“Let's go change those passwords if we are a member of this leak,” says Hammond. “Let's go board up the windows and do the best offense we can, and let's be better so this doesn't happen in the future, but [it’s a] cat and mouse game. It inevitably will.”

Bracing for More Breaches

Sites like Have I Been Pwned can help individuals determine if their information has been exposed in a breach, but with breaches like MOAB and others sure to follow, it is likely safe to assume exposure.

“I think the day of trying to figure out whether or not you were affected is gone,” says Plaggemier. “I think you have to assume that all your information is out there, and it's sitting in databases owned by bad guys or nation state actors.”

Operating in a world where the risk of a breach is ever-present calls for enterprises to double down on cybersecurity hygiene. Enforcing strong password habits, implementing multifactor authentication, and regular patching are important tools in mitigating the risk of being breached. It is also important to educate employees, customers, and third parties about the risk of social engineering as these attacks continue to grow in volume and sophistication.

“Many of us see data as the lifeblood of our businesses, and cybercrime is no different. You just got to remember that everything that we're doing with data in the legitimate world, cyber criminals are doing with data in their world,” says Plaggemier.

MOAB grabbed attention with its massive number of leaked records, but it won’t necessarily retain its title. “I still think that there are much bigger collections out there,” says Diachenko. A different leak in the future has the potential to become the new MOAB.