The emergence of historical mega breaches

Over the period of this month, we've seen an interesting trend of data breaches. Any one of these 4 I'm going to talk about on their own would be notable, but to see a cluster of them appear together is quite intriguing.

For example, just yesterday I loaded the Fling database (you probably don't want to go to fling dot com until you're in a private setting). That was over 40 million records and the breach dates back to 2011.

A few days before that it was LinkedIn which has been pretty comprehensively covered in the press by now. There's 164 million unique email addresses (out of about 167 million records in total), and that dates back to 2012.

Just now, I've finished loading tumblr into Have I been pwned (HIBP) with a grand total of over 65 million records dating back to 2013. That rounds out the total number of records loaded in just the last 6 days to 269 million, not that much less than I had in the entire system just a week ago. It's also the second data breach I've personally appeared in over that period, my 6th overall. (Incidentally, you may see various different stats on the exact number of addresses in the tumblr breach due to data idiosyncrasies such as the way deactivated accounts were flagged.)

But all of these will pale in comparison when the much-touted MySpace breach of 360 million records turns up. Whilst I've not seen a date on when the breach actually occurred, c'mon, it's MySpace and you know it's going to date back a way.

There are some really interesting patterns emerging here. One is obviously the age; the newest breach of this recent spate is still more than 3 years old. This data has been lying dormant (or at least out of public sight) for long periods of time.

The other is the size and these 4 breaches are all in the top 5 largest ones HIBP has ever seen. That's out of 109 breaches to date, too. Not only that, but these 4 incidents account for two thirds of all the data in the system, or least they will once MySpace turns up.

Then there's the fact that it's all appearing within a very short period of time - all just this month. There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related.

One explanation may be related to the presence of these breaches being listed for sale on the dark market:

LinkedIn data for sale

Fling data for sale

tumblr data for sale

MySpace data for sale

These 3 are all listed by peace_of_mind and by all accounts, this individual is peddling a quality product:

peace_of_mind seller profile

Apparently, buyers are happy. Now this is not to say that peace is the guy who's hacking into these sites and indeed attribution can be hard, particularly after so much time has passed by since the sites were actually attacked. But certainly there's a trend here which is hard to ignore.

But here's what keeps me really curious: if this indeed is a trend, where does it end? What more is in store that we haven't already seen? And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the "mega" category that are simply sitting there in the clutches of various unknown parties?

I honestly don't know how much more data is floating around out there, but apparently it's much more than even I had thought only a week ago.

Tweet Post Update Email RSS

Hi, I'm Troy Hunt, I write this blog, create courses for Pluralsight and am a Microsoft Regional Director and MVP who travels the world speaking at events and training technology professionals