Cybersecurity reseachers raised the alarm this week, after discovering the ‘Mother of all Breaches’ (MOAB).
With 26 billion records leaked online, experts say this is the single biggest data leak in history.
Sensitive records from popular sites including Twitter, Dropbox, and Linkedin were discovered on an unsecured site, which experts say could spark a ‘tsunami of cybercrime’.
So, is your data safe?
Following the news, experts have revealed to MailOnline how to check if your emails or passwords have been compromised.
The easiest way to see if you have been affected is to use a data breach checker like this one created by Cybernews. The researchers say that they have logged over 70 per cent of the files in the breach and are aiming to have the checker fully updated by the end of the week
Cybersecurity researchers warn that it is almost certain that your personal data has been exposed in the ‘Mother of All Breaches’ which leaked 26 billion records onto an unsecured site
Yesterday, researchers from Cybernews and Bob Dyachenko, owner of SecurityDiscovery.com, announced that they had uncovered an enormous data breach.
The researchers discovered that 12 terabytes of data had been stored on an open instance, hidden in plain sight on the internet.
This data included billions of username and password combinations as well as highly sensitive personal data.
The researchers warn that this dataset could be ‘extremely dangerous’ in the hands of criminals.
The easiest way to check if this includes any of your information is to use a data breach checker such as Cybernews’ data leak checker.
To use this tool, simply enter your mobile number or email address into the search bar and click ‘Check Now’.
Mantas Sasnauskas, head of security research at Cybernews, told MailOnline that the team are currently working to ensure that the tool includes all the records from this new breach.
Mr Sasnauskas says that more than 70 per cent of records leaked by the MOAB breach have already been registered on the tool.
Because the MOAB is a combination of historic breaches and new material, only around a third of the leaked data has not been previously released.
This means that the data leak checker will still likely show whether your data was included in this latest breach.
Mr Sasnauskas and his team are currently sorting through the remaining 30 per cent of new leaks to see which accounts have been compromised.
If you use any of these sites, then there is a good chance your details have been leaked. While some records are certainly duplicates these sites have each leaked over 100 million personal records
If you are particularly concerned about your account with a specific site, Cybernews has also created a searchable list of sites that have been affected.
You might also be able to tell that an account has been breached if you begin to notice suspicious activity on any of your accounts.
Receiving login notifications from any of your accounts that you do not recognise can be an indication that someone has gained access.
However, given the scale of the breach, Mr Sasnauskas warns that you are almost certainly affected.
He told MailOnline: ‘Probably the majority of the population have been affected.’
Because of the sheer number of records leaked from popular sites like Linkedin, the experts say that the majority of the population will have at least one account compromised by this leak
The researchers expect that this breach contains significantly more than 15.5 billion unique password and account combinations from 3,386 different sites – more than 20 of which have released hundreds of millions of records.
The biggest leak comes from Tencent’s QQ, a popular Chinese messaging app which had 1.5 billion records in the breach.
Some of the other biggest leaks came from MySpace (360m), Twitter (281m), Linkedin (251m), and AdultFriendFinder (220m).
This means that if you are an internet user, it is almost certain that at least one account you use will have been included in the breach.
Jake Moore, global cybersecurity advisor for ESET, told MailOnline that people should act under the assumption that their accounts have been compromised.
Experts warn that you should use this opportunity to change your passwords. If you use X, which leaked 281 million records, hackers will be able to gain access to any account that shares the same password
The biggest risk is that hackers can get control of one account and use that to access others owned by the same person.
Mr Moore told MailOnline: ‘Unfortunately, many people still reuse their favourite passwords across multiple sites which makes this type of beach spread laterally and very quickly indeed.
‘Therefore, people should take this announcement as an opportunity to make their passwords unique but also to add multi factor authentication to their accounts.’
Mr Moore also warns that even an old account you no longer use being compromised can risk a cascade of more dangerous attacks.
‘Criminals can do an awful lot from accessing accounts where other personal data may reside such as home address or phone number,’ he says.
Brian Martin, Director of Product Management at Integrity360 says: ‘It’s well-known that threat actors compile private copies of previous breaches to support their malicious activities.’
Mr Martin explains that this breach data is extremely useful for launching ‘phishing, social engineering, and credential stuffing attacks.’
He recommends that organisations and individuals use good cyber hygiene to limit the risk of future attacks.
This includes resetting passwords, using two factor authentication, and being aware of phishing techniques.
Mr Martin adds: ‘It’s always been the case that the lack of these basic cyber hygiene steps increases your risk, but the risks grows with the availability of such a massive compilation database of information readily available.’
The existence of massive data dumps like this makes the risk of future cyber attacks much greater since criminals are able to use the account information from one leak to break into others
The researchers who discovered the breach say that the person behind it will likely never be identified.
However, Mr Sasnauskas suspects that it might have been created by someone attempting to build a criminal marketplace for private information.
He added: ‘Historically there were such services and they do sometimes pop up.
‘Basically, you could enter anyone’s email address and you would be able to buy the passwords for their accounts for a couple of dollars.’
It is also possible that this could have been compiled by a data broker or other organisation which works with massive amounts of data.
However, Mr Sasnauskas says it was more likely to have been created by a malicious actor.