Cybercriminals use a variety of sophisticated attack methods, such as phishing and brute force, to steal users’ passwords, which they can then sell online or use to steal sensitive data in account takeover attacks.
And, as recent reports have uncovered, the risk of credential theft is very real: the biggest ever collection of passwords has been leaked in an online forum.
Here’s what we know about the stolen passwords, and what you can do to keep your data—and your company’s data—safe.
The World’s Largest Password Leak
In 2009, cybercriminals gained access to the servers of “RockYou”, a social media company that created widgets for MySpace pages and implemented applications for various other social networking sites. During the breach, the hackers stole more than 32 million user passwords, which were stored in plaintext.
The scale of the RockYou attack was concerning but, in what is now one of the largest data breaches in the internet’s history, attackers have leaked 8.4 billion passwords in a hacker forum. The collection has been named “RockYou2021” by the user who posted it.
The latest research has found that all passwords leaked in this collection are between 6-20 non-ASCII characters, with white spaces removed.
Credential Theft Methods
There are two main methods by which hackers steal users’ login credentials: social engineering, such as phishing, and brute force.
Social engineering is one of the most sophisticated threats that organizations are currently facing. Last year, 75% of businesses around the world experienced a phishing attack, and 74% of attacks on US businesses were successful.
During a phishing attack, the bad actor sends an email to their target, posing as a trusted source to trick them into giving up sensitive data, such as login credentials.
For more information on social engineering, read our guide on how to stop phishing attacks.
Brute Force Attacks
Hacking can be an easy way for attackers to gain access to your data. To hack into a user’s account, all the bad actor needs is that user’s email address. This information is often publicly available on social and professional networking sites, such as LinkedIn, but can also be bought on the Dark Web.
Once a hacker has their target’s email address, they can program a computer to crack that user’s account password for them, either with an application or script, or with a session ID. When the computer cracks the password, it notifies the hacker, who can then log in as the user and access corporate data “under the radar”.
There are numerous different password cracking methods out there, but the most common of these is the brute force attack. To perform a brute force attack, the hacker programs a computer to guess their target’s password, starting with common combinations and working systematically through all possible letters, numbers and symbols character by character, until it finds the right combination.
According to hacker Tinker, any eight-character password, which is often set as a standard length, can be cracked in less than 2.5 hours, no matter its complexity.
You can read more about protecting your organization against password cracking in our guide to preventing brute force attacks.
How To Protect Your Data Against Credential Theft And Account Takeover
Around 4.7 billion people are using the internet today, and 8.4 billion passwords were compromised in the RockYou2021 leak. This means the leak could potentially involve passwords of every internet user, almost twice each.
There are three steps we suggest you take to ensure your data remains secure:
- Check whether any of your credentials—or your organization’s credentials—have been compromised using a tool like haveibeenpwned.com. If they have, change those passwords immediately to mitigate the threats of account takeover and data loss. You should encourage your users to carry out a check like this regularly to mitigate the risk of them using stagnant credentials.
- Implement a password manager. Password management solutions help users to generate unique, complex passwords for all of their accounts. They store these credentials in an encrypted vault, keeping them safe against theft while taking pressure off users to remember them all. Some password managers, like Keeper and Dashlane, also scan the dark web for lists of compromised credentials, comparing those lists to the passwords stored in your vault. If any of your credentials have been compromised, the password manager will notify you and suggest you update them.
- Implement multi-factor authentication, or “MFA”. MFA is an electronic authentication method that requires users to verify their identity in two or more ways before they’re granted access to an account. This ensures that, even if an attacker gets hold of a user’s password, they won’t be able to access that user’s account.
These steps are crucial to protecting your organization against account takeover attacks and the subsequent risk of data loss. To help you combat these threats and find the best security solutions for your business, we’ve put together guides to the best products currently on the market, which you can find below: