Yahoo is investigating claims the hacker linked to “mega-breaches” at MySpace and LinkedIn has posted details of 200 million Yahoo accounts to a marketplace on the dark web.
In total at least 1.3 billion online accounts have now breached in the past few months, according to researcher Troy Hunt.
And Rick Holland, head of strategy at security company Digital Shadows, which monitors the underground markets and message boards on which many of the deals to sell stolen data are done, says it has probably gone way past that figure.
“Initially, they won’t be putting the data on the public market,” Mr Holland says.
“Instead, they will talk to a few select people in off-the-market chat sessions.”
And sometimes a public sale is a final attempt to squeeze more value out of a batch of stolen login names and passwords that has been used several times before.
One hacker recently sought almost $100,000 (£75,000) for 655,000 records taken from three US healthcare suppliers.
By contrast, the alleged Yahoo data dump, much of which seems to be old or disused credentials, commands a price of less than $2,000.
Although it could provide a ready source of victims for cybercriminals running a ransomware campaign, according to Mr Holland.
But setting up defences that can stop data being stolen or abused is difficult.
“We are not seeing any rapid move to biometrics,” Mr Holland says.
“And two-factor authentication systems are not easy to set up and deploy at large scale.”
Marshal Heilman, from security consultancy Mandiant, says breaches, no matter how big, rarely change large companies’ day-to-day security practices.
“It’s just business as usual for a lot of them,” he says.
Most of the data stolen in mega-breaches will only give attackers basic access to a network, and from there they will have to work hard to manoeuvre to the systems that harbour saleable data, Mr Heilman says.
So, many organisations concentrate their defences around the login details for key staff who oversee the internal network, customer databases or any sensitive system.
“Companies should look at the core parts of their business,” says Mr Heilman.
“Anything else going missing is not the end of the world.
“I don’t think it’s ever fair to say that it is a company’s fault that it got breached.
“We build companies to do business, and security comes along after that.”
So maybe individuals rather than companies are to blame for security breaches – the person who clicks on a booby-trapped link in an email or opens an attachment harbouring malware.
“That is the mushy human layer, and most technologists have decided that users are stupid and they cannot patch stupid,” says Stu Sjouwerman, founder of KnowBe4, which runs training programmes to lessen the chance they will mis-click and leave a company open to a data breach or ransomware attack.
Many attackers refine their campaigns by running them time and time again through test networks that possess the same technical tools, sensors and firewalls seen in corporate networks.
And Mr Sjouwerman says: “There will always be malware and phishing attacks that make it through the filters, and the human in that scenario can be the last line of defence.”
Currently, 16% of people will click on a link they should not in a phishing email.
But training involving regular simulated attacks can cut this to 1%, figures gathered from KnowBe4’s 300,000 customers suggest.
Mr Sjouwerman says there are 22 separate markers that can betray a phishing email, including having been sent at an unusual time of day, odd subject lines and strangely formal language.
“It turns out that you can patch stupid because it turns out that these people are not stupid, they are just highly qualified in other domains,” he says.
“If you bring it home to them, show them how a wrong click can affect their finances, they suddenly see the light and they stop clicking on the bad links.”