unpleasant surprise

Mother of all Breaches may contain NEW breach data

On January 23, 2024, we reported on the discovery of billions of exposed records online, now commonly referred to as the “mother of all breaches” (MOAB).

Since then, the source of the dataset has been identified as data breach search engine Leak-Lookup.

Prevention platform SpyCloud compared the MOAB data with its own recaptured dataset and found at least 94% of the data was either public, old, or otherwise widely-known. That leaves a lot of new records.

From SpyCloud’s blog:

“a small number of individual breaches totaling a large number of records – approximately 1.6 billion – appeared distinct, as compared to SpyCloud’s dataset.”

SpyCloud was able to attribute some data to what it calls “private sale breaches”, which are datasets that were sold privately or otherwise traded outside of the public space.

As Troy Hunt of HaveIBeenPwned pointed out on his blog, there is a data breach “personal stash” ecosystem. This consists of personal stashes of data breaches existing all over the place, fueling an exchange ecosystem that creates copies of billions of records of personal data over and over again.

“The data of a significant portion of the global internet-using population, just freely flowing backwards and forwards not just in the shady corners of the dark web but traded out there in the clear on mainstream websites.”

These shady services, Hunt says, allow interested parties, including criminals, to access records that contain usernames, passwords (including in clear text), email addresses, and IP addresses. And Hunt says he feels that Leak-Lookup is one of the “bad” guys for the following reasons:

  1. After purchasing access, it returns extensive personal information exposed in data breaches including names, email addresses, usernames, phone numbers, and passwords.
  2. The operator is clearly trying to remain anonymous with no discoverable information about who is running it.
  3. It has Terms of Service that include: You may only use this service for your own personal security and research. But it does nothing to enforce that restriction.

What worries me even more is the amount of buyers and brokers for breach data. I, for one, never realized there were so many of them. That’s regardless of whether they are there to sell data to anyone that is willing to pay, or only offer it to those that rightfully own the data.

This in itself constitutes multiple risks. As we all learned in economics, demand drives up the price and the higher the price the more attractive it becomes to go after the data. And, as the MOAB breach clearly demonstrated, not everyone is as careful as they should be about accidentally exposing their collection.

And it’s not just cybercriminals that are buying this type of data. US Senator Ron Wyden released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use, despite a recent FTC order saying that data brokers must obtain Americans’ informed consent before selling their data. 

If you want to find out if your data is exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.