21 Million-Password Leak is Just The Beginning as Reports Emerge of 40x Larger Leak

Colin Muller

Reports have been circulating in past days of a gigantic data breach that has netted 770 million usernames and 21 million passwords. The stolen data even reached the virtual pages of the Guardian newspaper, who (perhaps inaccurately) reported it as the “Largest collection ever of breached data found.”

With respect to the initial breach, the good news is that most of the stolen data is very old, and therefore in most cases probably useless. According to Brian Krebs of KrebsOnSecurity.com - the security researcher who thinks he found the additional stolen data - the original collection of files is two to three years old.

(Just in case you want to check if your data is compromised, another researcher, Troy Hunt, has added the first data to his website Have I Been Pwned. Passwords can be checked here.)

The bad news is that this original breach, with 87GB worth of files, is very small compared to how much may be out there. Krebs communicated with the entity selling this data via Telegram and the seller sent Krebs a screenshot of what he said was four terabytes worth of stolen credentials. Only one terabyte worth seems to be available for purchase at this time, however.

hack.png(Alleged screenshot of hacker's stash; source: Krebsonsecurity.com)

There’s A Crypto For That

There are several blockchain projects that have sought to address the problem of identity theft, and to put identity - so to speak - on the blockchain. Perhaps the most well known of these projects are Civic (CVC) and Self Key (KEY). Civic have a working product and several partnerships, including Brave, ShapeShift, wikiHow and Xapo.

Apropos of nothing, the crypto news website CCN recently reported on the possibility that up to 100,000 Know-Your-Customer (KYC) credentials were pilfered from several large cryptoasset exchanges are now being sold on the darknet. Bittrex, Poloniex, Bitfinex, and Binance are among the reportedly compromised exchanges.

CCN seem to have obtained compelling but ultimately inconclusive evidence that the breach occurred. Binance representatives, looking into the alleged breach, are reported to have claimed that there are “some inconsistencies” between the proof samples they were shown and their own records. Binance add, according to CCN, that they have not had any indications of a breach on their end.