Mega-crackers back with nearly 100 million new stolen data records

The cracker who recently put 620 million breached records up for sale…

…is back with close to 100 million more, according to reports.

Just over five years ago, we jokingly coined the phrase “one hundred million club”, following Adobe’s then-epic leaking of 150 million records.

Back then, breaches with that many records exposed at the same time were rare.

These days, we frequently hear of breaches that are well above 100 million records, for all that they often involve aggregated breaches of multiple servers and services, possibly collected over many years.

For example, we recently saw Collection #1 hit the underground market, with more than 700,000,000 unique records, closely followed by four more breach collections, imaginatively named Collection #2 to #5, with a further 2.2 billion items.

This latest breach sounds slightly different.

Rather than collating and coalescing breached data going back years, and perhaps including old, retired or discarded accounts, TechCrunch is suggesting that the cracker used a common way into a series of different sites.

Well-known sites on the list allegedly include fun-with-GIFs website Gfycat, cloud image editor piZap and fitness fanatics Classpass.

TechCrunch suggests that all the sites in the latest breach list were running PostgreSQL as their database engine, though whether this was a factor in the sites getting breached at the same time is unknown.

These days, crooks don’t just break in by abusing unpatched security bugs in your server apps, but also by aggressively exploiting weak security practices, such as poor or re-used passwords or unprotected services made public on the internet by mistake.

What to do?

There’s no evidence that actual passwords were stolen in these breaches – at worst, it seems that the crooks made off with hashed passwords, which can’t be abused directly.

A cracker who’s made off with hashed password lists still needs to crack each password in the list, so the better your choice of password, the longer the crooks will take to hap upon the right one.

In that case, changing your old password makes it useless to the crooks, so the faster you change it, the lower the chance the crooks will figure it out first.

So:

• Patch early, patch often. If you’ve got a server afflicted by known security holes, then the crooks probably already know how break in if they want to, so stay one step ahead.
• Change passwords on affected sites. As mentioned above, if you change an at-risk password before the crooks figure it out and login with it, you win.
• Don’t re-use passwords. We can’t say this frequently enough, which is why you hear us repeating it all the time. If one password gets breached, make sure it doesn’t instantly let the crooks into other accounts, too.
• Consider 2FA. Two-factor authentication requires some sort of additional action when you login, such as entering a one-time string of digits as well as your password. This keeps you one step ahead of the crooks.
• Get a password manager. If you let a password manager pick strong passwords for you – and make it choose a new one for each site – you’ll avoid password re-use, make passwords easier, and give yourself more time for 2FA.

According to TechCrunch, account data in the breach includes information from: Legendas.tv, OneBip, Storybird, Jobandtalent, Gfycat, ClassPass, piZap and StreetEasy. We don’t know if this is an exhaustive list, but if you are a user of one of those services, a precautionary password change might be a smart idea. A password manager makes choosing new passwords quick and easy. There’s no suggestion at this time [2019-02-18T14:30Z] that any financial records such as credit card numbers were stolen from anyone.