On Thursday, cybersecurity researcher Jeremiah Fowler reported a malware data breach that exposed over 184 million logins and passwords, many of which could be in use to log in to Apple Accounts.
Fowler says he believes the data was grabbed by someone using infostealer malware, which he says is “a type of malicious software designed specifically to harvest sensitive information from an infected system.” The database, of which the source is unclear, was not password-protected or encrypted and contained 184,162,718 unique logins and passwords, for 47.42 GB of raw credential data.
“I saw thousands of files that included emails, usernames, passwords, and the URL links to the login or authorization for the accounts,” Fowler said. “The database contained login and password credentials for a wide range of services, applications, and accounts, including email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, and many more,” plus bank and financial accounts, health platforms, and government portals from numerous countries.
Wired did a deep-dive of the data, and it found that plenty of iCloud logins were included in the data.
In a sample of 10,000 records analyzed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, 209 Discord accounts, and more than 100 each of Microsoft, Netflix, and PayPal accounts. That sample—just a tiny fraction of the total exposure—also included Amazon, Apple, Nintendo, Snapchat, Spotify, Twitter, WordPress, and Yahoo logins, among many others. A keyword search of the sample by Fowler returned 187 instances of the word “bank” and 57 of “wallet.”
Fowler suspects the dataset was compiled by a bad actor using infostealer malware tools. “It’s the only thing that makes sense,” he told Wired, “because I can’t think of any other way you would get that many logins and passwords from so many services all around the world.”
The database was found on an unmanaged server run by a hosting provider, which is fully controlled by a customer. “It appears a fraudulent user signed up and uploaded illegal content to their server,” said Seb de Lemos, the CEO of World Host Group, in a statement to Wired. “The system has since been shut down. Our legal team is reviewing any information we have that might be relevant for law enforcement.”
This data breach is more serious than most breaches, as the purloined data includes login information for several services. This makes it likely that the login credentials weren’t stolen from a single source, but via mlware and phishing attacks by hackers.
“This is probably one of the weirdest ones I’ve found in many years,” Fowler told Wired. “As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.”
This means that while it doesn’t appear that Apple’s servers were compromised, Apple Account login info could have been gleaned from malware running in the backgtound on Macs and Windows PCs used to log in to iCloud or other Apple services. Same for the information for other online services.
In other words, even though Apple’s servers have not been compromised, Apple Account passwords could still have been collected from malware running on Macs and PCs where people log in to iCloud or other Apple services. Ditto for other online services.
Users that reuse their Apple Account username and passwords on other sites and services. Users that have an “@icloud.com” email address they use elsewhere for authentication alerts hackers that the user has an iCloud account, making them a possible high-value target, thanks to possible access to iCLoud backups and photo libraries.
There is a bit of good news in all of this, as if you have two-factor authentication enabled for your Apple Account (and if you don’t, do that immediately) the bad guys will have a tougher time accessing your account.
It is still a good idea to change your password for all affected services as soon as possible. (It’s a holiday weekend, so you should have plenty of time to do so, right?) Make dure each password is secure and unique. Never reuse a password! If you don’t want to come up with unique passwords on your own, use a password manager that can generate and track your passwords to ensure that they are unique. (I use 1Password, but there are many fine password managers available.)
Plus, enable two-factor authentication on your Apple Account and on any other account that offers it. Sure, it adds an addiitonal step or two to your login process, but it’s better than bad actors logging into your accounts.
Make sure to visit Have I Been Pwned to see if your information appears in any data breaches. Olus, stay alert for phishing attempts. The bad guys like to use the data obtained in data breaches like this one to attempt to steal more of your information, They may pepper your email or texting accounts with phishing emails and texts to convince you to turn over additional information, like credit crd and banking account numbers.
(Via iDropNews)
