Mother of All Leaks

Popular articles

17 / 05 / 2017

Mother of All Leaks

Someone (I call him Eddie, after a name found in database credentials) has put together a giant database containing more than 560 millions emails and passwords collected from variety of sources. That kind of stuff has been floating around the web for a couple of years already, until recently, when it started to appear in forms of “combo lists”

Troy Hunt did a great job describing all details about that, so this is why I have reached out to him first to see if this dump is something special.

After running a sample set at his HIBP project, Troy identified 243,692,899 unique emails, with almost every single address is already in HIBP, mostly centred around the big incidents.

And while it is not a news itself, the availability of this data almost publicly (I mean, unprotected MongoDB equals publicly) is alarming.

During our research, we were surprised to see as many as 313 large databases, with size over 1GB, with several terabytes of data, hosted in US, Canada and Australia. 

The database in question is hosted on a cloud-based IP, and it is unclear who actually owns it. We sent notification email to the hosting provider, but usually it is not the quickest way to shut it down.

After a series of ‘ransomware’ attacks targeted on MongoDBs left without authorization in the beginning of this year, I was not sure if somebody still uses early versions of Mongo where default configuration is possible. It appears that “Eddie” did.

Database is 75+ gigs in size and contains data structured in readable json format which included at least 10 previously leaked sets of data from LinkedIn, Dropbox, Lastfm, MySpace, Adobe, Neopets. RiverCityMedia, 000webhost, Tumblr,  Badoo, Lifeboat etc.

The lesson here is simple: most likely, your password is already there and somebody might be trying to use this just now. So isn't that a good time to change it now?


Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.

Do you have security tips or suggestions? Contact: security@kromtech.com