Updated: Jun 17
A 100GB text file containing 8.4B password entries was leaked this week on a hacker forum. This exceeds the February Compilation of Many Breaches (COMB) data set leak of 3.2B email and password combinations -- making this hack now the largest password compilation breach ever. It has been named ‘RockYou2021’ in reference to the 2009 RockYou data breach in which adversaries hacked into the social app website’s servers to gain access to over 32M user passwords stored in plain text. Will LaSala, Director of Security Solutions at OneSpan weighed in on this latest mass password compilation:
“We saw the number of stolen credentials reach an all-time high last year at 15 billion and with breaches this year including the COMB Data Leak of 3.2 billion credentials and now the RockYou2021 data leak of 8.4 billion passwords, I estimate the figure to be closer to 25 billion leaked credentials floating around on the dark web at the moment.
The threat posed by these leaked credentials falls largely on web and mobile applications as well as the platforms they run on, which have security holes and backdoors that hackers leverage stolen credentials to compromise. We know hackers follow the money trail and we especially encourage consumers and organizations to closely monitor their financial and banking applications. Technologies such as multi-factor authentication can help protect accounts from stolen credentials, while technologies such as application shielding can help protect applications from being attacked by malicious actors, even if the device itself is compromised.
Organizations can also help protect their customers by ensuring their risk analytics technologies are up to date and that they are checking real-time transactions across all applications and channels, looking for anomalies and patterns that are the hallmark of an attack. Hackers often comb dark web forums for leaked credentials, which they use to launch ransomware attacks and it is crucial that consumers and organizations implement these important security measures to protect high value accounts. Consumers shouldn’t rely on password checker tools as the data isn’t likely up to date and untrustworthy. They should also avoid ‘strong password’ generators; the passwords generated are often unreliable, easy to hack, and can be stolen at a moment’s notice with little to no indication that it has been compromised.”