By Jeff Domansky, June 8, 2021
The largest stolen password collection of all time, 8.4 billion passwords, was leaked on one of the world’s most popular hacker forums.
The anonymous hacker named the password compilation ‘RockYou2021‘ after the notorious 2009 RockYou data breach when threat actors gained access into the social app website servers and harvested more than 32 million user passwords stored in plain text.
With an estimated 4.7 billion people online worldwide, the newest data breach potentially includes twice the passwords of the entire global population.
CyberNews posted a sliver of the 6-20 characters long passwords contained in the hacker forum. The mysterious password hacker posted a massive 100GB TXT file containing 8.4 billion password entries, combined with previous data leaks and breaches.
Potential password knockout
Although the threat author initially claimed the list held more than 82 billion passwords, the number is estimated closer to 8.4 billion by CyberNews. Nevertheless, it’s still the largest leak ever, and security experts see huge potential impacts for business and consumers.
“We saw the number of stolen credentials reach an all-time high last year at 15 billion, and with breaches this year including the COMB Data Leak of 3.2 billion credentials and now the RockYou2021 data leak of 8.4 billion passwords, I estimate the figure to be closer to 25 billion leaked credentials floating around on the dark web at the moment,” says Will LaSala, Director of Security Solutions at OneSpan.
The threat posed by these leaked credentials falls mainly on web and mobile applications and the platforms they run on, which have security holes and backdoors that hackers leverage stolen credentials to compromise, LaSala explains.
“We know hackers follow the money trail, and we especially encourage consumers and organizations to monitor their financial and banking applications closely. Technologies such as multi-factor authentication can help protect accounts from stolen credentials, while technologies such as application shielding can help protect applications from being attacked by malicious actors, even if the device itself is compromised,” he adds.
How to minimize password threats
Security experts say password hygiene, careful monitoring, and multi-factor authentication are a great place to start for better password security
“Today is the day to change all your passwords. You may have been putting this off, thinking you are not affected. You are. We all are. Now you have an excellent reason – to protect your privacy and your assets. Anything and everything will come out, so waste no time. Change all your passwords immediately. And please make sure they are unique and complex!” advises Saryu Nayyar, CEO, Gurucul.
Experienced hackers can use a list database to generate millions of harmful spam emails, unsolicited texts, and phishing messages designed to harvest personal data, steal financial information, and compromise user identity.
“This may be the biggest username/password breach of all time, but it won’t be the last. Outlawing passwords is not a short-term solution to this problem. Instead, ensure that usernames/passwords on their own are not enough to gain access to backend systems,” cautions David Stewart, CEO, Approov.
“Adding a requirement for appropriate and independently verified factors to gain access to your servers will ensure that your business is not affected by credential stuffing attacks based on breaches such as RockYou2021,” Stewart adds.
How to check if your password is compromised
CyberNews has a database of more than 500 GB of leaked hash emails, including over 15.2 billion breached accounts and more than 2.56 billion unique emails. The list grows as CyberNews monitors and updates the latest data breaches from around the world.
Its data leak checker is one of several online tools that quickly check if your email password is included in this latest data breach or others in its extensive database. The site does not collect or store emails to ensure the security of information.
LaSala cautions that password checking tools are only as good as the real-time data available. “Consumers shouldn’t rely on password checker tools as the data isn’t likely up to date and untrustworthy. They should also avoid ‘strong password’ generators; the passwords generated are often unreliable, easy to hack, and can be stolen at a moment’s notice with little to no indication that it has been compromised.”
Rajiv Pimplaskar, CRO, Veridium, points to the shortcomings and irony in providing your email to a third party to check its security. While useful, these tools can create a false sense of security if your email doesn’t show up on the list. “First, even though they [CyberNews] claim to have data from over 15 billion compromised accounts, it’s still only a fraction of the total volume of compromised account data out there.”
“Second, it is inherently risky to provide private or secure information to a third-party when you are trying to keep or validate the information is secure in the first place!” Pimplaskar says CyberNews mitigates that by using a bcrypt hashing algorithm (Blowfish based) to anonymize source emails in the database securely.
Tools useful for awareness but no guarantee
Pimplaskar adds, “With the advent of several dark web search engines over the past four-plus years across the threat intelligence market, this space has gotten fairly commoditized with many variations of such information being made available through your ISP, credit card of fraud protection agency – all with varying degrees of time-based validity and value.”
“Another useful data leak checker that businesses and individuals can use to see whether their password information is out in the wild is the popular free tool Have I Been Pwned,” Nayyar adds with similar reservations to the other security experts. It checks email and phone numbers against a list of over 600 million compromised passwords. While useful, these tools only scratch the security threat surface.
Password checkers can only tell users if their account was found on a list of hacked accounts when the list was loaded into the password checkers. These password checkers are often manually loaded with lists of hacked accounts.
LaSala echoes further concerns about online password-checking tools. “A user’s password could be compromised well in advance of finding it on one of these lists. “Strong Passwords” are problematic because there is no indication of when the password is compromised, and any “Strong Password” that can be typed can be captured and stored for use by a hacker. With strong password generators and password checkers, there is an opportunity for hackers to make the problem worse by creating fraudulent pages that ask for account details to then generate new passwords that the hacker would then have a copy of.”
“In today’s high-risk cyber climate, consumers should consider all password-based credentials as likely to be or have been breached. Users should rely on Multi-Factor Authentication (MFA) and embrace modern passwordless authentication methods like phone as a token or FIDO2 security keys. These reduce the attack surface of a data breach by eliminating passwords ensuring that your information stays private and secure,” Pimplaskar advises.
Organizations must also do more to protect their customers by ensuring their risk analytics technologies are up to date and checking real-time transactions across all applications and channels, looking for anomalies and patterns that are the hallmark of an attack.
“Hackers often comb dark web forums for leaked credentials, which they use to launch ransomware attacks, and it is crucial that consumers and organizations implement these important security measures to protect high-value accounts,” LaSala cautions.
International Change Your Password Day
February 1 is officially “Change Your Password Day,” created originally in 2012 by Matt Buchanan, who was writing at Gizmodo at the time.
According to Aite Group, 47% of US consumers experienced financial identity theft – either application fraud in their name or account takeover in the past two years.
Let’s all agree as individuals to make today “International Change Your Password Day.” Change your passwords and double-check your security practices considering this latest record password heist.
Recent PaymentsNEXT coverage of security issues includes:
Russian ransomware attacks American BBQ plans – citizens outraged
The sorry state of application security in financial services
US identity theft jumps as e-commerce grows
LET’S CONNECT