The news of a new credential leak recently reported by the CyberNews portal is an important opportunity for companies to reassess their information security policies and practices. It is one of the largest breaches ever reported, involving credentials from multiple platforms such as GitHub, Zoom, Apple, Google, Facebook, and Telegram.

Some researchers suggest this is not a new breach, but rather an aggregation of previously known leaks. According to a hypothesis put forward by Bleeping Computer, the data is better organized than in other leaks, in a format commonly used by infostealer malware. This type of malware is specifically designed to capture information, including access credentials. Even if this is a compilation of prior leaks, it does not diminish the fact that users and businesses must always remain vigilant about secure credential management practices.

The risk is clear: if credentials for any service are included in the leak, users of those services become vulnerable to account takeovers and unauthorized data access. Depending on the type of account, the impact can range from exposure of private communications to internal corporate data and customer records. It is worth noting that leaked credentials give criminals a first foothold for further attacks — they enable additional crimes.

Criminals can also use this data to lend credibility to scams. Armed with valid credentials, they can craft a wide range of social engineering attacks to convince victims that they are being contacted by a legitimate organization.

It is also important to note that if company data was leaked — rather than through attacks directly on individual users — this constitutes a personal data incident. When that occurs, data processors face a series of obligations, particularly regarding the notifications required by the LGPD (Brazil's General Data Protection Law) and the implementation of security measures to protect data subjects.

The following measures can be taken to mitigate the risks associated with this (and other) data leaks:

  • Review password rotation policies. If any accounts lack such a policy, implement one immediately.
    • Although some current technical standards no longer require mandatory periodic password changes (NIST Special Publication 800-63B), we believe this practice may still be recommended in certain contexts. Moreover, that same standard still recommends changing passwords in the event of a known breach.
  • Notify internal users, alerting them to the situation and advising heightened vigilance against scams. Recommendations should also cover employees' personal accounts, as these can serve as an attack vector that ultimately compromises the organization.
  • Maintain ongoing communication with customers and business partners about password management best practices. The organization should clearly communicate how it manages access credentials, to raise user awareness and help them recognize fraudulent contact attempts. Integrated environments can allow intrusions through the compromise of third-party infrastructure.
  • Review incident response policies and procedures for scenarios involving loss of access to services. Companies should map all systems they use and ensure they have fast recovery mechanisms in the event of an attack.
  • Enable multi-factor authentication (MFA) wherever available. This measure prevents unauthorized access even when criminals have obtained valid credentials. Using an authenticator app (such as Google Authenticator) is recommended, as it provides greater security than receiving one-time codes via SMS or email — both of which can also be compromised.
    • Keep in mind that there are attacks capable of bypassing multi-factor authentication as well. This underscores the need for user training to help employees resist attempts to obtain authentication codes and to verify they are entering them on the correct platforms.
  • Always use unique credentials for each service. Reusing passwords across services significantly increases risk: if one service suffers a breach, all other accounts using the same credentials become vulnerable.
  • Always use a password manager to store credentials securely. Several reliable services enable proper credential management. This allows users to easily maintain unique passwords for each service they use, storing them in a secure environment — as opposed to keeping them in plain text files or spreadsheets.
  • Finally, there are secure services that allow you to check whether an email address appears in any previously identified breach. The most well-known is Have I Been Pwned, which even offers an API for integration with other systems.