Parents have been warned to change their passwords now as a game popular with children is linked to the ‘mother of all data breaches’.
Cybersecurity researchers discovered a vast collection of 30 exposed databases containing more than 16 billion individual records.
This enormous collection of personal data includes account information for the popular game Roblox and the game chat service Discord.
Experts say that this information could be used by cybercriminals to launch more targeted attacks to steal parents’ data and personal information.
In total, the team at Cybernews, which found the records, discovered 47 gigabytes of data containing sensitive information for accounts on various sites, including Instagram, Microsoft, Netflix, PayPal, Apple, and even government websites.
With only 5.5 billion people using the internet worldwide, researchers warn that a staggering number of people have likely been affected.
The information available to the wider internet only briefly, before being locked down, but it is not possible to determine who owned the databases.
The experts are now urging users across the globe to change their passwords immediately to protect their data from falling into the hands of cybercriminals.
Parents have been urged to change their passwords now after a game popular with children is linked to the ‘mother of all data breaches’ (stock image)
Some might have been gathered by so-called ‘white hat’ hackers who monitor and research data breaches to improve security, but most of the information was likely compiled by criminal groups.
Cybernews researchers say that large amounts of data have been stolen from people’s devices using a type of malware called an ‘infostealer’.
Criminals like to collect large troves of data so they can use it to gain access to other accounts and orchestrate more complex attacks.
The researchers say: ‘This is not just a leak – it’s a blueprint for mass exploitation.
‘With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing.’
They add that it is particularly ‘concerning’ to see that this data is not made up of old leaks but contains ‘fresh, weaponizable intelligence at scale’.
Cybernews noted that its researchers identified a database of 184 million records that were previously uncovered in May, found by data breach hunter and security researcher Jeremiah Fowler.
Mr Fowler told WIRED: ‘As far as the risk factor here, this is way bigger than most of the stuff I find, because this is direct access into individual accounts. This is a cybercriminal’s dream working list.’
Researchers discovered that Roblox account information was contained in a breach of over 16 billion records. Over 30 per cent of this game’s users are 13 years old or younger
The smallest of the 30 databases exposed contained over 16 million records.
Meanwhile, the largest, which likely related to the Portuguese-speaking population, contained over 3.5 billion records.
On average each of the datasets had around 550 million personal records.
Many of the datasets had generic names such as ‘logins’ which didn’t reveal their contents or intended use.
Others, however, were more descriptive, such as one dataset with 455 million records which was named to indicate its origin was the Russian Federation.
Worryingly, analysis of the datasets’ contents shows that several websites popular with children have been affected.
In a random sample of 100,000 records analysed by Fowler, there were 479 Facebook accounts, 475 Google accounts, 240 Instagram accounts, 227 Roblox accounts, and 209 Discord accounts.
Roblox is a wildly popular online game which has approximately 36 million daily users, over 30 per cent of which are 13 or younger.
The data breach also contained login information for Discord, a popular gaming chat and messaging board service used by a third of American teenagers
Likewise, Discord is a video game chat and messaging board service which Pew Research Centre estimates is used by up to a third of US teenagers.
That sample, representing just a tiny fraction of the total exposure, also included logins for other popular services such as Nintendo, Snapchat, Spotify, and Twitter.
If you are a parent who shares some accounts with your child, that means your passwords and login credentials may have also been exposed.
The best action to take right now is to change your passwords if you use any of these platforms and also activate Two-Factor Authentication, which adds another layer of security to logging in by sending a secure code to your phone or email.
The unprotected database was managed by World Host Group, a web hosting and domain name provider founded in 2019.
It operates over 20 brands globally, offering cloud hosting, domain services, and technical support for businesses of all sizes.
Once Fowler confirmed that the exposed information was genuine, he reported the breach to World Host Group, which shut down access to the database.
Seb de Lemos, CEO of World Host Group, told WIRED: ‘It appears a fraudulent user signed up and uploaded illegal content to their server.’
They found login credentials, including passwords, for government accounts, Apple, Google, Facebook, Telegram and more websites. If you or your child may have been affected, cybersecurity researchers suggest changing your passwords and activating two-factor authentication (stock image)
Fowler said ‘the only thing that makes sense’ is that the breach was the work of a cybercriminal because there’s no other way to gain that much access to information from so many servers around the world.
The cybersecurity expert warned that this particular breach also poses a major national security risk.
Exploiting government email accounts could allow hackers and foreign agents access to sensitive or even top-secret systems.
The stolen data could also be used as part of a larger phishing campaign, using one person’s hacked account to gain private information from other potential victims.
