A penetration tester’s take on the implications
Cybernews researchers have found 9,948,575,739 unique plaintext passwords leaked on BreachForums, a popular hacking forum.
On 4 July 2024, a threat actor called ‘ObamaCare’ leaked what is likely the largest password compilation to date, calling it “10 Billion Rockyou2024 Password Compilation”.
Specifically, ObamaCare said:
I present you a new rockyou2024 password list with over 9.9 billion passwords! I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years. Also cracked some old ones with my new 4090. This contains actual new real passwords from users.
Put differently, this database is the updated version of RockYou2021, which contained 8,459,060,239 unique passwords. So, between 2021 and 2024, the threat actor increased this database by 18% (1,489,515,500 records).
As such, RockYou2024 is a mix of old and new passwords. However, as we learned from the MOAB (mother of all breaches), even old passwords can present a real threat due to people’s poor password habits – reusing passwords across different accounts, for example, and not changing their passwords regularly.
We sat down with senior penetration tester Leon Teale to learn more about the dangers of this new breach.
About Leon Teale
Leon is one of our senior penetration testers. He has more than ten years’ experience performing penetration tests for clients in various industries all over the world.
In addition, Leon has won hackathon events in the UK and internationally, and is accredited for multiple bug bounties. He’s also been featured in various articles in the press relating to cyber security.
We’ve previously talked to him about the MOAB, zero-day exploits and secure remote working.
In this interview
How serious is RockYou2024?
Was it really 10 billion passwords breached?
Differences between the MOAB and RockYou2024
How a penetration tester uses password compilations
How COMBs (compilations of many breaches) are formed
How organisations can protect themselves
What do you make of this new breach? Is it as serious as it sounds?
Yes, it’s serious. However, for those in the industry, it’s less shocking than to someone who may only just be hearing that data breaches and password leaks can come in such significant sizes.
I’m partly saying this because of the ‘predecessor’ to this breach: RockYou2021. That breach three years ago involved nearly 8.5 billion records.
When you compare that to the 10 billion records in this 2024 breach, this puts things into perspective: ‘only’ an extra 1.5 billion records or so. But I appreciate that’s still a huge number – I was using the term ‘only’ very loosely there.
Are we really looking at [nearly] 10 billion passwords breached here?
Possibly not. I’ve seen speculation that the threat actor just wanted to bump the numbers up to 10 billion to make it sound more impressive and draw more attention.
Plus, when you analyse this file, you’ll see that it’s not all high-quality data. The file contains quite a bit of junk data – data that’s just wrong, or useless to a hacker [criminal or ethical]. For example, the file includes organisation names, random strings, and other useless information like that.
The overall risk is comparable to the RockYou2021 leak. Unfortunately, these types of breaches are commonplace now – I almost think of them as ‘expected’.
Interviewer note: Head of security testing James Pickard raised similar points in this interview on security trends for 2024 and beyond.
Previously, we talked about the MOAB. How different was that breach to RockYou2024?
The original RockYou hack, from 2009, came from a single breach, so it wasn’t a COMB [compilation of many breaches].
The MOAB, on the other hand, was a COMB. COMBs combine usernames and passwords from lots of different data leaks, collecting them into one location.
Also, the MOAB contained more than just usernames and passwords: it included other information associated with the breached accounts. That could include medical records and other sensitive information.
As for RockYou2024, I expect it’ll be classed as a COMB in due course.
Are there any other differences between RockYou2024 and COMBs?
Yes, but I’m going to get technical here.
The rockyou2021/2024.txt files are one single file [each] containing billions of lines. So, reading it can take some time. The rockyou2024.txt file size is 145.25 GB.
That’s different to past COMBs like the MOAB, which were split up into lots of folders and files to significantly speed up cataloguing and searching.
Let’s take a 10 GB TXT file as an example, which is comparable to the format of RockYou, just smaller. This takes my machine 11.51 seconds to read. But it only needs 0.08 seconds to read a 100 GB COMB directory containing lots of files.
Interviewer note: Leon shared the below screenshot to illustrate.
In your line of work, to what extent do you pay attention to such password compilations? And how do you use them, if at all?
As a penetration tester, I have to keep up with these sorts of breaches, both for personal development and simply to stay up to date in the field to carry out my job well. The cyber landscape is a fast-changing one; you need to stay on top of the latest news, threats and vulnerabilities.
I use these leaks to help identify if clients have any usernames and passwords in these big database leaks when performing internal penetration tests. I query clients’ corporate email addresses on my server to find associated credentials and often discover them to be valid on their corporate systems.
A cyber criminal would take a similar approach. Ethical hacking is about imitating the methods cyber attackers use! Though without causing damage, of course.
That includes keeping up with these types of mega leaks. The more up to date your lists or database, the better.
Where the credentials turn out valid, is that because the organisation had previously been breached?
It could be. But it can also be caused by users reusing the same password across different accounts. Or, sometimes, they use obvious variations of the same password – ‘August2023’, ‘August2024’, etc.
I also get clues from password hints that users have set – ‘usual’, ‘same as work login’, etc. That strongly suggests they’re using their corporate password on third-party services – LinkedIn, for example, which has been breached.
Once an attacker gets hold of a list of emails and passwords, they could then automate the process of trying to get into an organisation’s systems, looking for valid credentials. This could give them access to emails and other user accounts – even VPNs! [Virtual private networks.]
Want to get future content like this straight to your inbox? Subscribe to our free weekly newsletter – the Security Spotlight – to keep up with our latest blogs and other free resources.
How are these types of databases formed?
These collections are generally just amassed from other leaked breaches. These are frequently shared, and freely available on both the dark web and the Internet.
This will take time and proper formatting, but given the resources available, this is pretty rudimentary to do.
What can organisations do to protect themselves?
Organisations should technically enforce strong passwords and require MFA [multifactor authentication]. They should also roll out staff training, teaching employees better password habits, like choosing unique passwords, using techniques like ‘three random words’ [to generate passphrases], and so on.
This type of staff awareness will generally improve organisations’ security postures, too. They should make clear to staff that they all have a responsibility for security, teach them how to recognise phishing attacks, show them how to report security incidents, and so on.
Rolling out staff awareness simply and cost-effectively
Elearning courses like our Cyber Security Staff Awareness E-Learning Course are ideal for rolling out staff training quickly and cost-effectively.
Use NCSC (National Cyber Security Centre)-certified expertise to reduce the risk of security breaches and incidents by embedding a culture of cyber security in your organisation.
Learn what cyber security is, the consequences of a cyber attack and why security is everyone’s business.
Empower your staff to spot malicious activity and know what to do if they see a problem.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
In the meantime, why not check out our previous interview with Leon on the MOAB?
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.
The post ‘RockYou2024’: Nearly 10 BILLION Unique Plaintext Passwords Leaked appeared first on IT Governance UK Blog.
