A file containing about 10 billion individual passwords was posted on an online hacking forum in what could be the largest such compilation of leaked passwords ever. The file was posted on July 4, and contains passwords compromised in both recent and old data breaches all over the world.
So many passwords available to hackers increases the likelihood of credential stuffing attacks, where one compromised password used for a user’s account can be reused by a hacker to break into another account. The list’s discovery is a reminder to use unique, strong passwords for each account in a person’s name.
Not all the passwords in the compilation appeared to be new — in other words, they have been leaked previously — but the way they were presented, in a single, searchable file, increases the chance of “credential stuffing.” The practice allows a bad actor to take a user’s known password and try to reuse it to break into other accounts in their name.
Hackers might take a password from a person’s email and try to use it to get into their bank account, Cybernews, a cybersecurity-focused news outlet, explained.
A recent wave of cyberattacks using this technique have compromised sensitive data across Santander bank, AT&T, Ticketmaster, and 23andMe, as well as various other businesses.
The number of malicious cyberattacks has more than doubled since 2020, an International Monetary Fund report estimated, which increases the risk of financial consequences for governments, businesses, and individuals. The financial sector is particularly attractive for bad actors: It has experienced more than 20,000 attacks in the last two decades, the IMF noted.
The healthcare sector is also an increasingly appealing target, medical journal The Lancet noted. There, cyberattacks impact business operations — and could also have deadly consequences for patients. “We should all be terrified,” an expert told The New York Times after a recent breach on US health tech company Change Healthcare.
The actual number of passwords in this compilation — which appears to be enormous — likely doesn’t increase the threat capabilities of bad actors much, cybersecurity specialists told Forbes.
