Verizon’s 2024 Data Breach Report, a must-read publication, was published on May 1, 2024. The report indicates that “Over the past 10 years, the use of stolen credentials has appeared in almost one-third (31%) of all breaches…”

Stolen credentials mean a user has given their username and password to a threat actor. When that happens, the threat actor has complete authenticated, unfettered access to all of the data the user has access to in the system. The result is that the threat actor can access data without being detected by tools put in place to detect malicious intrusions. This is a nightmare for organizations. Compromised passwords are an issue because threat actors gather and use them in brute-force attacks. When a user’s password is compromised, if the user has used that password on any other platform, it gives threat actors an easy way to get into any account for which the user has used that password. That is why we always tell users not to use the same password across platforms.

It is important to change passwords frequently and to follow your organization’s procedure for changing passwords. It is also crucial not to use the same password across different platforms.

A recent article by Cybernews shows how vital this mantra is. According to the article, “Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.” The passwords came from a mix of old and new data breaches.”

Apparently, the threat actors compiled “real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”

Cybernews further states that it believes “that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.”

Here are the recommendations from Cybernews:

The Cybernews research team advises to:

  • Immediately reset the passwords for all accounts associated with the leaked passwords. It is strongly recommended that strong, unique passwords be selected that are not reused across multiple platforms.
  • Enable multi-factor authentication (MFA) wherever possible. This enhances security by requiring additional verification beyond a password.
  • Utilize password manager software to generate and store complex passwords securely. Password managers mitigate the risk of password reuse across different accounts.
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.