Semafor Signals
Nearly 10 billion passwords leaked in what may be biggest dataset of its kind ever
Insights from CyberNews, International Monetary Fund, The Lancet, and Forbes
The News
A file containing about 10 billion individual passwords was posted on an online hacking forum in what could be the largest such compilation of leaked passwords ever. The file was posted on July 4, and contains passwords compromised in both recent and old data breaches all over the world.
So many passwords available to hackers increases the likelihood of credential stuffing attacks, where one compromised password used for a user’s account can be reused by a hacker to break into another account. The list’s discovery is a reminder to use unique, strong passwords for each account in a person’s name.
SIGNALS
The rise of ‘credential stuffing’ attacks
Not all the passwords in the compilation appeared to be new — in other words, they have been leaked previously — but the way they were presented, in a single, searchable file, increases the chance of “credential stuffing.” The practice allows a bad actor to take a user’s known password and try to reuse it to break into other accounts in their name. Hackers might take a password from a person’s email and try to use it to get into their bank account, Cybernews, a cybersecurity-focused news outlet, explained. A recent wave of cyberattacks using this technique have compromised sensitive data across Santander bank, AT&T, Ticketmaster, and 23andMe, as well as various other businesses.
Cyberattacks are becoming more common across the globe
The number of malicious cyberattacks has more than doubled since 2020, an International Monetary Fund report estimated, which increases the risk of financial consequences for governments, businesses, and individuals. The financial sector is particularly attractive for bad actors: It has experienced more than 20,000 attacks in the last two decades, the IMF noted. The healthcare sector is also an increasingly appealing target, medical journal The Lancet noted. There, cyberattacks impact business operations — and could also have deadly consequences for patients. “We should all be terrified,” an expert told The New York Times after a recent breach on US health tech company Change Healthcare.
Sheer number of passwords likely doesn’t affect threat capability
The actual number of passwords in this compilation — which appears to be enormous — likely doesn’t increase the threat capabilities of bad actors much, cybersecurity specialists told Forbes. But the scale of the leaks highlight the glaring holes in online security, one analyst noted. “I know this might sound funny, but what’s an extra 1.5 billion passwords?” a cybersecurity expert said. Once a document like this contains a certain number of data points, it may not matter much how many new passwords are added, because the chance that the passwords repeat or are variations of previous occurrences rises. And, Forbes noted, the file may actually turn out to be useless because of its huge size.
