In an unprecedented event, almost ten billion unique passwords have been leaked online. The compilation, named RockYou2024, is being referred to as “the largest data breach to date” on some hacking forums.
What do we know?
The leak took the form of a .txt file with the passwords, collated and released by an organization going by the handle ‘ObamaCare.’ Previous leaks from this organization include employee databases from the law firm Simmons & Simmons, data from the online casino AskGamblers, and applications for Rowan College in New Jersey.
Why do we care?
The main danger of password leaks is in cyberattacks making use of bruteforce and credential stuffing. Bruteforce attacks are an older approach, using automatization to try and guess the correct password and force entry to an account. With password leaks like RockYou2024, criminals can skip the guessing stages and instead try to match a known password to other accounts.
A typical credential stuffing attack follows a simple process, where the attacker:
- Sets up a bot that is able to automatically log into multiple user accounts in parallel, while faking different IP addresses.
- Runs an automated process to check if stolen credentials work on many websites. By running the process in parallel across multiple sites, reducing the need to repeatedly log into a single service.
- Monitors for successful logins and obtains personally identifiable information, credit cards or other valuable data from the compromised accounts.
- Retains account information for future use, for example, phishing attacks or other transactions enabled by the compromised service.
What’s next?
Besides needing to change passwords soonest, individuals and organizations following industry best practices – not reusing passwords, using multifactor authentication and Captcha, forcing unique user IDs separate from email addresses – should largely be safer from the worst effects of the leak.
At the same time, the leak is the latest in a pattern of incidents clearly demonstrating that we need to take online security seriously and operate under a worst-case scenario presumption where sooner or later, an attack will make it through.
This requires systems to be hardened and prepared for attacks, including with a thorough disaster recovery process and a data security system – either a backup or an archive – which can ensure you pass through the attack and bounce back with minimal impact.
Learn more about what TECH-ARROW can do for your data security