Mother called—she wants her data back.
Bob Diachenko is one of the lead researchers who discovered earlier this year what has become known as the “mother of all breaches” (MOAB)—a massive data breach repository that contained 12 TB and 26 billion stolen records. Based in Kyiv, Ukraine, Diachenko and his team of three, alongside a team at CyberNews, analyzed and helped take down the mother of all breaches in a matter of days.
IT Brew caught up with Diachenko—also the founder of SecurityDiscovery.com—to chat about his discovery and to better understand why the breach was nothing like he’s ever seen before.
But first, the TL;DR. The MOAB isn’t just one breach—it’s a compilation of multiple breaches that happened over time, with exposed data stemming from X (formerly known as Twitter) Tencent, LinkedIn, and more. The MOAB also included data from government entities in the US, Brazil, and Germany.
“The purpose of having it under one roof is pretty clear,” Diachenko said. “Someone wanted to have quick access to all the previously reported breaches in order to profile someone and put together puzzles to come up with a full picture of a user or person that they were after.”
To obtain this info, cyber criminals didn’t break into Tencent or X, Diachenko says, rather, they pieced together what they found on forums, on the dark web—and in some cases—Google.
Key companies affected by the MOAB, according to CyberNews:
Tencent: 1.5 billion
Weibo: 504 million
MySpace: 360 million
X (Twitter): 281 million
NetEase: 261 million
IT Brew has reached out to the above companies for comment.
What was the research process like? Diachenko and his team analyzed data from major public search engines and used open-source tools like Shodan to analyze exposed instances. “So, that particular instance immediately drew my attention when I was running through the morning report because of its size. We were able to identify the size and the number of collections in it,” he said.
If this is old data, why are people concerned? Diachenko and his team found that the MOAB also includes both old and new data, estimating that about 10% of the data had never been exposed before, including emails, names, and passwords. There’s also the fact that this data could help bad actors piece together information. “Again, to put it all under one roof and have such a vast collection be searchable—it’s kind of scary,” he added.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Any hunches as to where this leak came from? “No, because the server was Europe-based,” he explained. But Diachenko says the attackers utilized Hetzner Online GmbH’s cloud service. Hetzner has a KYC (Know Your Customer) procedure, Diachenko explains, which means Hetzner should be able to identify the person or group behind the IP address registration.
Hetzner spokesperson Christian Fitz confirmed via email that the IP Diachenko provided “belongs to a dedicated server,” adding that Hetzner is able to “identify the customer to whom this server is rented should the authorities make enquiries about criminal investigations.”
“In order to successfully take action here, however, we require a precise description of the illegal content currently hosted on the server, if available, as well as evidence of this,” he told IT Brew, noting they did not have enough information at the moment. Fitz said the company does not have access to the server and encouraged people to report any illegal content via the company’s abuse form here.
Side chat. Diachenko said users in the US and European region contacted him after noticing their email address or phone number had been linked to Chinese social media platforms, such as Tencent’s QQ or Weibo—despite never signing up.
Back in 2016, Have I Been Pwned creator Troy Hunt explained in a blog post that some of his subscribers reported never using Chinese sites yet found their data had been exposed in some Chinese data breaches.
What now? The MOAB leak was taken down shortly after Diachenko and his team published their report. He and his team have restructured data to provide users with a search tool that allows them to check if they were affected by MOAB. Diachenko says news of this breach should also serve as a reminder that users should practice good cyber hygiene—like regularly changing passwords, keeping passwords unique, checking their accounts for suspicious activity, and setting up MFA.
Update 03/22/23: This story has been updated since it was first published.