Skip to content

MOAB Data Leak Exposes Global Vulnerability to Credential Stuffing


In the aftermath of the staggering MOAB data leak, cybersecurity experts are sounding the alarm on the extensive threat of credential stuffing attacks. As uses continue to fall prey of the pitfalls of password reuse, the imperative for robust security measures has never been clearer.

This week’s Cyber Security Insights explores the urgent need for organizations to adopt strategies such as multi-factor authentication and traffic monitoring to mitigate the risk of exploitation.

Mother of all breaches was the start

On January 22, Cybernews published an article that stated it had discovered an astounding 12 terabytes of breach information that included records from thousands of compiled and reindexed leaks, breaches and privately sold databases. Dubbed “Mother of all Breaches,” due to its unprecedented amount of breach information.

The Mother of all Breaches (“MOAB”) included about 26 billion records discovered by Cybernews through a joint investigation with security researcher Bob Dyachenko. It consisted of user data from many prominent Web services, including LinkedIn, Twitter, Weibo, and Tencent. It’s the largest leak ever discovered, larger than Collection#1, which was a collection of 2.7 billion leaked records discovered in 2019.

SpyCloud, a software cybersecurity company, completed an analysis of the complete MOAB dataset and found that at least 94% of records were either public, old, unusable to criminals or otherwise widely known. The remaining records may have been privately traded rather than publicly distributed.

Figure 1. Breakdown of Web Services and leaked records in MOAB (Cybernews)

The Hacker Community’s Reactions

After the Cybernews report, there was a lot of chatter within the hacker community as well as security professionals about where MOAB came from and where it could be obtained. Hackers who didn’t find MOAB suspected that it was fake data created by security companies to attract attention, or that it was just a collection of data from previous breaches.

Figure 2. A Thread About MOAB in the Hacker Forum

MOAB Source

On January 24, Leak-Lookup, a company that accumulates information and provides a data breach search engine, posted on its official X (formerly Twitter) account, quoting a post from Cybernews, that MOAB was based on its own data, had fixed a firewall misconfiguration, and were investigating further to determine what occurred, however were confident no registered user information was accessed.

Figure 3. Leak-Lookup Posts Admitting to Leaking
Figure 4. Leak-Lookup Website. Boasts an accumulation of approximately 26 billion leaks

Collecting and resdributing leakage information

Security companies are not alone in collecting and using information from past leaks. For example, Breachforums, one of the world’s largest hacker forums, collects and presents leaked information posted on the forum and handles millions of leaks.

There are also several Telegram channels that collect information that appears to have been exposed by ransomware attacks in the past and redistributed for a fee or no charge.

Figure 5. Breachforums Leakage List Page
Figure 6. Telegram channels that collect and distribute information about past leaks.


MOAB has made headlines for being one of the biggest data leaks ever, with the number of records being several times larger than the world’s population. However, the data was most likely the largest compilation of multiple breaches. In particular, its potential use in credential stuffing attacks (aka “password-list attacks”) is serious.

Despite the repeated and widely publicized dangers of using the same credentials, it is known that many users continue to use the same email address/password pair to authenticate against multiple different services. Service providers need to take counter measures against credential stuffing such as multi-factor authentication, limiting authentication requests and detection of abnormal traffic.

This is a common theme as was highlighted in a previous blog post, user awareness of best practice is key.

About our Cyber Security Insights

This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.

Read more Cyber Security Insights here.


Want to know more about how we can help you with your cybersecurity?

Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.