The Mother of All Breaches: A Summary

February 21, 2024

On January 21, Cyber News published an article stating that they had identified the “Mother of All Breaches” (MOAB) which revealed 26 billion records. The article stated that the data had been identified by cyber security researches on an open instance, meaning the data was not secured and easily accessible by anyone who came across it.  

The 12 TB of data was said to include records from previously reported leaks such as LinkedIn, Twitter, Weibo and others but it was also claimed that there was new data held within this dataset that had not been seen before. Although it was not clear what this claim was based on. At the time the article was published it was not clear who owned this data – was it a threat actor who had amalgamated all this data, was it from a marketplace where this data was stored, or was there another entity altogether that had this data?

Almost immediately chatter began on dark web forums discussing this leak – where it might have come from, who the data belonged to, and how they could get access to the information. A post on popular dark web forum BreachForums garnered 37 replies and over 4,000 views.  

The reaction to the data was mixed. Some of the users were eager to get their hands on the data asking for confirmation of where it was available to download and actors commenting that they would need to purchase more hard drives to store the massive amount of data.  

Others felt the information was old, that it had previously been exposed and there was nothing new to be found. Their view was that this was simply being used to generate press, with some suggesting the data had been planted for marketing purposes. 

Another actor felt that this data must have been the collection of convicted site admin Pompompurin (Connor Fitzpatrick) as he stated it included leaks that had only been posted to Breach Forums. 

Although many actors showed skepticism, most showed an interest in obtaining the data and were discussing how it would be shared – torrent being the preferred solution – and when it would become available. But the Mother of All Breaches did not materialize. 

On January 23, two days after the initial article was published, the company Leak-Lookup posted on X (Twitter) taking responsibility for the leak, claiming that a firewall misconfiguration was responsible for the data being exposed.  

Leak-Lookup is an organization which collects data leaks in order to allow consumers to check their information and see if they have been exposed. They claim to be a “Data Breach search engine” allowing their users to proactively protect themselves against possible exposure. This is an open source service, however they do also charge for some searches.  

The company went on to state that “Initial access was gained sometime around the start of December, due to a misconfigured server allowing IPv6 access to our “hot” cluster.” Highlighting that cyber security companies are not immune to cyber incidents, whether this be an attack or a technical issue. Fortunately, it did not appear that any of their registered users’ information had been compromised, the data that was identified is publicly available through their search. The misconfiguration was also quickly addressed to ensure no others could access this data.  

Given that the MOAB was actually a database of leaks curated by a breach aggregator, it is very unlikely that any new data was included in this breach. Just as with DarkOwl, Leak-Lookup will only collect leaks which are already publicly available on the dark web. Although they may sometimes get tipped some leaks which have not been widely shared, the volume of these is likely to be low.  

DarkOwl continued to monitor dark web chatter relating to this breach and did not identify any threat actor claiming that they had access to this data. Given that the database is now secure it is unlikely that anyone obtained the data during this period of time given the size. However, as the database did contain previously leaked data, the information is still out there. As always, DarkOwl recommends using good password hygiene on all your accounts and highly recommends a password manager.  Security is important for all organizations and all data should be strongly protected.  

Don’t miss any DarkOwl research. Subscribe to email.

See why DarkOwl is the Leader in Darknet Data

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.