On June 7, what many believe to be the largest password file ever stolen was placed on a popular hacker forum. The 100-gigabyte file contained 8.4 billion password entries. Its size tops the Compilation of Many Breaches (COMB) leak from February containing 3.2 billion email and password combinations. Yesterday’s leak was named RockYou2021 in homage to the 2009 RockYou data breach where fraudsters stole more than 32 million passwords from the social app which were stored in plain text.
Together RockYou2021 and COMB’s 11.6 billion stolen entries are nearly 80 per cent of the number stolen in all of 2020, OneSpan director of security solutions Will LaSala said.
“With breaches this year including the COMB Data Leak of 3.2 billion credentials and now the RockYou2021 data leak of 8.4 billion passwords, I estimate the figure to be closer to 25 billion leaked credentials floating around on the dark web at the moment,” he warned.
LaSala explained the main threat posed by these leaked credentials is mostly on web and mobile applications along with the platforms they run on. Those platforms have security holes and backdoors which hackers use stolen credentials to compromise.
“We know hackers follow the money trail and we especially encourage consumers and organizations to closely monitor their financial and banking applications,” LaSala advised. “Technologies such as multi-factor authentication can help protect accounts from stolen credentials, while technologies such as application shielding can help protect applications from being attacked by malicious actors, even if the device itself is compromised.”
Companies can protect customers in several ways, LaSala said. Begin by making sure all risk analytics technologies are current. They should also look at real-time transactions across applications and channels and check for anomalies and patterns that could signal an imminent attack
“Hackers often comb dark web forums for leaked credentials, which they use to launch ransomware attacks, and it is crucial that consumers and organizations implement these important security measures to protect high value accounts,” LaSala said. “Consumers shouldn’t rely on password checker tools as the data isn’t likely up to date and untrustworthy. They should also avoid ‘strong password’ generators; the passwords generated are often unreliable, easy to hack, and can be stolen at a moment’s notice with little to no indication that it has been compromised.”