On July 4, researchers from Cybernews found a shared file containing 9,948,575,739 unique plaintext passwords on a hacking forum. The password dump appears to be an updated version of the “RockYou2021” data leak collection that surfaced on the web in June 2021. Since then 1.5 billion new and unique passwords have been added to this current file. Data breaches are valuable to cybercriminals because users often reuse passwords across multiple services. This common practice makes it easier for cybercriminals to employ credential stuffing. Recently, a wave of attacks targeting companies like Santander, Ticketmaster, Advance Auto Parts, and QuoteWizard stemmed from credential stuffing attacks on their cloud service provider.

Comment below from Satnam Narang, sr. staff research engineer, Tenable
“These data breaches are valuable to hackers because, unfortunately, users have a tendency to re-use passwords across multiple services. This practice of password re-use makes it easier for hackers to utilise techniques such as credential stuffing, where hackers “stuff” these “credentials” on other websites in hopes of successfully logging in.

“The reality is that data breaches have become so commonplace today that it serves as a reminder of the importance of password hygiene. The ‘RockYou2024’ collection of passwords is just one of the most recent examples of combining data from disparate breaches to create a single list of login credentials (username and password combinations).

“We can’t put the blame on users’ shoulders, because the prevalence of many different apps and services requires them to create accounts and it’s simply easier to use the same password. This is where services like password managers can be extremely beneficial to users. Password managers are designed to create strong and unique passwords and can be used to assist users in logging into websites without having to remember various passwords. Users only have to remember a single password that controls their password manager account.

“Additionally, for more sensitive services, like email or banking, users should also be utilising two-factor authentication where available. App-based two-factor authentication, where a one-time passcode (OTP) of numbers is randomly generated every 60 seconds, can also be used to prevent hackers from accessing an account. This is because, while the hacker may be able to obtain stolen passwords from another breach, they are unlikely to have physical access to someone’s mobile device, so they will not be able to input the OTP.

“Data breaches won’t stop happening. This is why it is critically important that users adopt better password hygiene, such as through using password managers, and also consider enhancing account security through the use of two-factor authentication, especially app-based two-factor authentication.” — Satnam Narang, sr. staff research engineer, Tenable