Change Your Password TODAY! 10 Billion Passwords Leaked, Experts Warn of ‘Cascade’ of Identity Fraud

by

All products are independently selected by our experts. To help us provide free unbiased advice, we earn an affiliate commission if you buy anything. Click here to find out more

One of the largest databases ever of leaked passwordshas surfaced online, security researchers have warned. The massive haul of stolen credentials — some 9,948,575,739 unique passwords stored in plaintext — was posted late last week on a forum popular with hackers.

The file, dubbed RockYou2024.txt, is filled with stolen passwords that could trigger “a flood of data breaches, financial fraud and identity theft,” according to experts at CyberNews, who first discovered the database shared by a forum user identified only by the pseudonym ObamaCare.

It appears the database is a mix of old and new data breaches.

“In essence, the RockYou2024 leak is a compilation of real passwords used by individuals around the world. Revealing that many passwords are shared by threat actors significantly increases the risk of credential stuffing attacks,” researchers said.

Credential stuffing is a popular form of attack where hackers use stolen credentials from one website to log in to another. If you reuse the same username and password across multiple services, websites, and apps, you are vulnerable to this type of cyberattack.

A recent wave of attacks on Santander, Ticketmaster and QuoteWizard are widely believed to be a direct result of credential stuffing attacks by victims of popular cloud service provider Snowflake.

And now the CyberNews team thinks the same thing could happen with the latest database. They warn: “Cybercriminals could abuse the RockYou2024 password compilation to perform brute-force attacks and gain unauthorized access to various online accounts used by individuals using passwords included in the dataset.”

The database of stolen passwords was shared on a popular hacking forum by someone with the username ObamaCare. Experts have verified that the text file contains millions of passwords, building on the dataset originally released on the same forum three years ago

CYBERNEWS PRESS AGENCY

RockYou2024.txt builds on an earlier leak, RockYou2021.txt, which was shared online by hackers three years ago.

At the time, that text file full of stolen usernames, email addresses and associated passwords was the largest stolen data set ever. — a record that has now been broken by a leak that researchers are calling the “mother of all breaches”Since the launch of RockYou2021.txt, approximately 1.5 billion passwords have been added to the database, putting millions of people at greater risk of attack.

There is no easy solution for people whose passwords are in the RockYou2024.txt database.

However, the CyberNews team has shared some advice for those looking to protect themselves from credential stuffing or other types of post-breach attacks:

  • Instantly reset passwords for all accounts that rely on a password contained in the database
  • Create a unique alphanumeric password for each online account
  • Enable multi-factor authentication, such as a one-time code sent to your phone number, to protect accounts
  • Use a password manager to store and manage complex passwords
  • Use tools such as haveibeenpwned.com/ to check if your data has been leaked

The staggering database of leaked passwords just came out a few days after new research from Kaspersky has shown that millions of popular passwords can be cracked in less than a minute, thanks to improvements in computer hardware and smarter algorithms using AI to crack online accounts.

According to Kaspersky data, hackers attempted to crack passwords 32 million times last year alone. That number is likely to grow as it becomes easier to crack passwords with the latest algorithms and hardware.

Kaspersky researchers used a combination of the latest algorithms and a Nvidia RTX 4090 GPU worth £1,549 to try and crack the database of 193 million passwords found on the Dark Web. All of the stored passwords were hashed and salted, meaning researchers still had to guess them correctly to get in.

If your password is eight characters or less, it can be cracked in just 17 seconds, researchers found. Most of these passwords were all lowercase or uppercase English with a few numeric digits — showing the importance of using special characters, like symbols, to make your password harder to crack.

In total, 45% of all passwords analyzed from the database (87 million) could be guessed within a minute.

The majority of passwords examined by researchers contained at least one word from the dictionary. This significantly reduces the strength of a password and makes it more vulnerable to brute force attacks.

As researchers cracked millions of passwords, patterns began to emerge. If you want to create a strong, unique password to protect your account, avoid some of these popular patterns —

Popular words

  • forever
  • Love
  • Google
  • hacker
  • gamer

Common names

  • daniel
  • kevin
  • Ahmed
  • nguyen
  • Kumar

Default passwords

  • password
  • qwerty12345
  • administrator
  • 12345
  • team
table showing the different times required to crack passwords using the methods used by Kaspersky researchers

Kaspersky analyzed millions of hashed and salted passwords shared by hackers on the Dark Web to find out how long it would take to crack accounts

KASPERSKY

Kaspersky used a brute-force algorithm to achieve these results, a technique that terribly popular with hackers. This tries all possible password combinations by going through a list of words from the dictionary, as well as various character types, numbers, and more.

Researchers attempted to improve on the initial results by programming the algorithm to take into account popular character combinations, common names and sequences.

Hackers have also developed clever algorithms that try to replace characters, such as replacing an “a” with an “@” or an “e” with a “3”. So don’t do that when creating a password, it doesn’t make your account more secure.

Using the most efficient brute-force algorithm, researchers were able to crack 59% of the 193 million passwords within an hour, and almost three-quarters of all passwords (73%) within a month.

Only 23% of passwords from the Dark Web database would take more than a year to crack.

Discussing their findings, Kaspersky security experts noted: “Unconsciously, people create ‘human’ passwords – those that contain words from the dictionary in their native language, names, numbers, etc.things that our busy brains can easily remember.

“Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms. Given that, the most reliable solution is to generate a completely random password using modern and reliable password managers.”

Passkeys are an increasingly common solution to protect your accounts without rely on a long alphanumeric password that’s impossible to remember. This clever solution uses the security features built into your smartphone — like Face ID facial recognition on iPhone, fingerprint scanners on Samsung Galaxy, and more — to verify your identity every time you log in to a website or app.

Support for these password replacements is slowly being adopted by the largest online services and applications, with Elon Musk Enables X Support for iPhone Owners earlier this year, with WhatsApp will also use passwords to prevent users from using passwords that are easy to guess.

Password managers are another popular solution.

These standalone apps generate unique passwords with no discernible pattern — and a healthy mix of upper and lower case letters, symbols, numeric digits, and more. It would be impossible to remember this long, unique jumble of characters for each login, so password managers will encrypt and store them all for you, filling in the fields in apps and websites for you.

You only need to remember one password: the password you use to unlock your password manager.

a screenshot of a password manager showing the list of account login details

Password managers, such as 1Password (pictured), can manage long, unique alphanumeric passwords for each online account and monitor the Dark Web for breaches and hacks.

1PASSWORD PRESS AGENCY

Many of these applications also use biometrics, such as fingerprints and facial scans, to lock everything down.

Apple has added a password manager: known as iCloud Keychain — as part of the mobile operating system that comes on every iPhone, iPad and Mac, while Californian rival Google has built a similar system into Chrome. However, the iPhone maker has big plans to revamp this system with a real competitor for companies like 1Password, NordPass and LastPass in the coming months as part of the next free upgrade.

LATEST DEVELOPMENTS

Over the past few months we have seen Security researchers discover the so-called “mother of all breaches”with billions of stolen usernames and passwords for popular sites like LinkedIn, X (formerly Twitter), Telegram, and Dropbox. Not only that, but hackers used credential stuffing to break into half a million Roku accounts and spend money using stored payment information.

Whatever you do, make sure you don’t use a password on this list published by Nord.

Leave a Comment