Hackers Gained Access to 10 Billion Stolen Passwords
Data leaks are an inevitability of the digital age. It’s nearly impossible to have online accounts without losing some passwords to these attacks ( which is why using 2FA is so important ). But it’s one thing to know that some of your passwords are out there somewhere; It’s another thing entirely to know that billions of our passwords are conveniently collected for use.
That’s exactly what a new study seems to suggest: As TechRadar reports , researchers say they found a text file called rockyou2024.txt containing nearly 10 billion unique passwords, all of which are stored in plain text. This means that anyone with access can scrape the list as if it were a PDF and discover each password for themselves.
This project did not happen overnight: these passwords were collected over time, as a result of various attacks and leaks over the past 20 years. Attackers added 1.5 billion such passwords to the file from 2021 to this year. The fact that they are all unique means there are no duplicates in the list. It’s hard to learn so many passwords.
What is the danger of password leakage?
While it’s bad enough that anyone with a list can use Command + F to look up any password under the sun, that’s not really the danger. It would just take too long to find specific passwords.
Rather, attackers can use such lists to conduct brute force attacks and credential stuffing. In a brute force attack, attackers quickly try a large number of passwords to try to break into an account. Credential stuffing is similar, but involves using leaked credentials—such as known username and password combinations—with other accounts, since people tend to use the same password for multiple accounts. (Please, do not do that.)
Attackers, of course, don’t carry out these attacks manually: they use computers that can try millions of these passwords in an attempt to break into these accounts. With a database containing 10 billion unique passwords, hackers are sure to have their work cut out for them by conducting brute force and credential stuffing attacks against both individuals and organizations.
How to protect yourself from this password database
Hopefully organizations will take the time to strengthen their defenses against attacks like these, but even as individuals we can do a lot to protect ourselves.
First, you can use a password leak checker to see if your credentials are accessible to attackers, whether they are in this database or elsewhere. If you see that any of your passwords have been compromised, change them immediately.
Because of this, please ensure that you use a strong and unique password for each of your accounts. If your credentials are leaked, attackers won’t be able to forge your credentials because your other accounts won’t use that compromised password.
If the account supports access keys , use them instead because access keys do not contain credentials that can be leaked. If not, use two-factor authentication whenever possible. If attackers know your credentials, they won’t be able to break into your account without access to your trusted device, be it a smartphone or an authentication app.
To manage all these credentials, use a password manager . A good password manager will not only help you manage your passwords, it should have handy security features like password generators, 2FA codes, and alerts when your passwords are leaked.