12TB of consumer data leaked: What does it mean for merchants?

On 24 January, a database of "fullz" – a fraudster term for sets of personally identifiable information (PII) – 12TB in size was discovered by cyberthreat researcher Bob Diachenko.

With it come new opportunities for cyber criminals to defraud companies and consumers, as well as an increased interest in data leaks and their consequences by the public.

So, what exactly happened? And, importantly, what does it mean for online merchants? We've prepared a short piece to help break it all down, explain how it affects the online fraud landscape, and provide some practical advice courtesy of Ravelin CEO Martin Sweeney.

What happened?

Dubbed "the mother of all breaches" by Cybernews website – only to be "corrected" to "(grand)mother of all breaches)" by the man who unearthed it – it's estimated to be the the largest set of breached credentials ever discovered, at 26 billion records and 12TB of data.

The PII is linked to individuals from around the world, including users of Chinese social media platforms Tencent and Weibo, as well as MySpace, LinkedIn, Dropbox and X/Twitter, among several others. In fact, this is not a single data leak but an aggregate record of more than 3,800 data leaks. This type of database is also called a COMB – short for compilation of multiple breaches.

It seems that a fraudster has taken the time to compile the data of thousands of leaks in one file – which makes the stolen PII easier to handle, share and browse. In essence, because of how massive and well-organized it is, bad actors are going to leverage it more often and more efficiently for various schemes.

Even, in fact, to feed into AI. It's not just fraud fighters that employ machine learning; fraudsters have been eagerly adopting generative models, ML, LLMs and other types of automation that help scale their operations. One of the various consequences of this is, for example, the mass creation of synthetic identities, which are a way to further defraud both consumers and businesses. It's a chain reaction of cybercrime.

If you're wondering whether a new aggregate file would actually make a difference, it already has. Reports of massive account takeover (ATO) attacks (or attempts) have gone as far as the mainstream press in the past two months, with internal data at Ravelin confirming the trend.

No surprise – Ravelin noted an increase in ATO

In fact, Ravelin's fraud investigation experts have observed an increase account takeover attempts since late November, across the majority of our client accounts.

These have included, for instance, a significant (if largely unsuccessful) credential stuffing attack that saw almost 1 million failed logins on a single day in January. Brute-force attacks like these usually take place when low-level cybercriminals attempt to find credentials that have been reused across apps, platforms and services by the same individual, some of which might be more profitable to get into than others.

Another widely observed phenomenon was a rise in logins to very old, inactive accounts on our clients' websites. These were fraudsters using the leaked credentials to sign in and take advantage of the account however they can.

Ravelin's CEO, Martin Sweeney, weighs in:

"This news should not come as a surprise, unfortunately. The dataset that was discovered is an aggregate. It doesn’t come from a single source, which is one indication of how easy it is for cyber criminals to obtain this type of information.

At Ravelin, we had already observed a steep rise in attempted account takeovers against our partners since late November, which was on par with new PII leaks. But we didn’t anticipate such a huge number – 26 billion records!"

Consequences? A chain reaction of fraud

In terms of consequences, the first and most immediate is an increase in account takeover attempts, as well as social engineering (that often leads to ATO itself).

It's important to note that this type of attack is a means to an end. No fraudster would ever stop at taking over a customer's account. They would use the data found within, or the access to the account itself, to enable further ecommerce fraud, such as triangulation fraud or payment fraud.

In addition, this PII allows for phishing and spear-phishing attacks, identity theft and other cybercrime.

Ravelin's ATO Product Manager, Clayton Black, comments on the developments:

"The scale of this data breach makes every online merchant a target for account takeover. Companies that never had a problem with ATO may soon find themselves inundated with customer complaints, transaction disputes, chargebacks and faced with an irreparable damage to their brand and consumer trust.

Companies need to act now to address gaps in account defence measures and educate customers around basic protective behaviors, such as not reusing password and looking out for phishing emails."

What should merchants do about it?

For practical advice to merchants, we once again turned to Martin Sweeney:

"My advice to merchants is to be proactive:

• Review your ATO protection and consider deploying it both at login and checkout.
  
• Fraudsters will be attempting to reuse these credentials across various services – encourage them to use unique passwords or even change theirs if found in the 12TB dataset.
  
• Listen to your fraud managers – they know your fraud landscape and weak points best.
• Remember that ATO and social engineering are attacks that enable all other manner of fraud, so stay up to date with your fraud protection across the board.
• Use graph networks! Leverage visualizations between accounts across your customers. This can help your fraud analysts more easily spot hidden connections between users and block entire networks of fraudsters."
  
  

Further reading

• Read more about what fraudsters do after they take over an account.
• Find out how to limit the impact of account takeover when it does happen.
• Discover Ravelin's account takeover fraud insights.