What really happened in the alleged data breach?
Cybersecurity researchers that Mint spoke with said that the breaches in question were not strictly new or a single consolidated breach, as early reports had claimed. Instead, the new databases are more like master databases where breached information gathered over almost the past decade was put together by an unidentified group or entity.
To put it simply, data breaches occur from either unsecured online databases that cyber criminals scrape to collect information, or as part of cyber attacks on large online platforms that lead to the leakage of sensitive information. The largest known data breach so far occurred in 2016, when cyber attackers breached the entire database of once-search and mail giant Yahoo—stealing over 3 billion passwords and related user credentials at one go.
Also read: India’s big AI test is here: Making sovereign language models work
Four cybersecurity researchers that Mint spoke with said that the ‘master’ database with 16 billion passwords and other corresponding data—such as name, email addresses, dates of birth and other personally identifiable information (PII)—is likely a collection of multiple breaches, dating back to 2015.
Is such a widespread data breach even possible?
While no number of breaches is outside the realm of possibility, most researchers stated that a single breach exposing such a massive volume of sensitive information at one time is nearly unlikely.
“There are estimates of over 5.5 billion unique users on the internet. Given that any average individual would have at least two or three emails, plus accounts linked with around 10-15 online services—served by an average of around five unique passwords, an extrapolated hypothesis can be that a breach of 16 billion passwords would likely impact over 40% of all internet users globally. For this to happen in one single coordinated data breach would be akin to all of Europe, Asia and then some more being compromised at one go—which is nearly unthinkable even in today’s cybersecurity climate,” said an independent cybersecurity researcher who closely works with various government departments, requesting anonymity.
Mint could not independently access the alleged database in question or verify whether the information is updated. However, a scroll through cyber breach tracker Have I Been Pwned by noted cyber security professional and Microsoft regional director for the US, Troy Hunt, signified that passwords that have been in use on Apple, Facebook and Google’s platforms since at least 2018 have not surfaced online in the repository’s list of breached passwords.
Also read: Sovereign silicon: India targets indigenous 2nm, Nvidia-level GPU by 2030
To be sure, Have I Been Pwned is a public repository that regularly scrapes dark web databases for leaked passwords, such as the one mentioned here.
What should users do in this regard?
Cybersecurity experts stated that, irrespective of whether their passwords appear in breach trackers such as the one cited above, updating passwords once every six months is prudent.
Heather Adkins, vice-president of security engineering at Google, said that as part of its global endeavours to ramp up cybersecurity, the company is in the process of collaborating with Apple, Microsoft and others in a global ‘Fido Alliance’—which seeks to establish ‘passkeys’ as a standard for login.
“Passkeys reduce the dependency on passwords, and thus reduce how breaches occur by using the biometric authentication information that is stored on users’ phones and laptops. The benefit here is that attackers cannot breach biometric information even if they want, since they require on-device authentication. Various emails and other logins are steadily shifting to passkeys in this regard,” Adkins said.
Sidharth Mutreja, cofounder and chief technology officer of homegrown enterprise security consultant Rockladder Technologies, added that a second step is to “enable two-factor authentication.”
“As a second layer of security, users should always either use one-time password-based additional verification or use authenticator apps to ensure that their accounts and personal information are not breached even if a password is compromised. Additionally, it’s important to ensure that any caller or email sender is personally verified before they are responded to,” he added.
For now, though, each of the researchers agrees that no user is at “immediate risk of losing access to all of their accounts”—even though initial reports projected widespread risk, unlike what was seen before.
Can attackers still leverage the information?
Unfortunately, yes. The presence of such databases means that attackers with deep pockets and ill intent can pay to access such databases and use the information for a wide range of tasks. These include actions such as ‘spear phishing’—where attackers use available information about individuals to closely impersonate a potential acquaintance, and dupe them financially or otherwise.
Also read: Eye in the sky: India to set up satellites to spy on satellites
To be sure, such attacks have become common in India in the form of ‘digital arrests’ and originate from such databases. A single, coordinated database could thus be a crucial indirect resource for attackers, even if they do not immediately cause any direct harm to users.
Will companies handle damages and fallouts, if any?
Mutreja said that a coordinated database that collates all breached information under one umbrella “could create significant liability for enterprises in terms of securing their own platform with database monitoring tools—and put the onus on consumers to instantly and continuously change their passwords.”
“There’s no one set law that dictates if a company should be liable for a public database—unless a breach in question directly correlates to a company specifically. In such a case, users can directly raise questions on whether companies should have better protected their data. In this case, though, this does not hold,” he added.
Apple, Facebook and Google—the three major service providers whose information was a part of the breach as per the original report—have not issued any statements or patches pertaining to a data breach of such stature.
