By printartist @Adobe Stock

Vilius Petkauskas of CyberNews reports that on July 4th a text file was uploaded online to the web with just about 10 billion passwords. He writes:

The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County. […]

Credential stuffing attacks can be severely damaging for users and businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.

“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained. […]

How to protect against RockYou2024?

While there is no silver bullet to protect users who had their passwords exposed, impacted individuals and organizations should take up mitigation strategies. The Cybernews research team advises to:

  • Immediately reset the passwords for all accounts associated with the leaked passwords. It is strongly recommended to select strong, unique passwords that are not reused across multiple platforms
  • Enable multi-factor authentication (MFA) wherever possible. This enhances security by requiring additional verification beyond a password
  • Utilize password manager software to securely generate and store complex passwords. Password managers mitigate the risk of password reuse across different accounts

Cybernews will include data from RockYou2024 in the Leaked Password Checker, allowing anyone to check if their credentials were exposed via the latest record-holding exposed password compilation.

With RockYou2024, we witnessed a second record-breaking compilation leaked online in 2024. Earlier this year, Cybernews discovered the Mother of all breaches (MOAB), comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records.

Read more here.

Records downloaded from Snowflake cloud platform, AT&T says

Christopher Palmeri of Bloomberg reports that AT&T says new hack includes records of customer calls and texts. He writes:

The Federal Communications Commission said it was investigating a massive hack of AT&T Inc. customer data that included records of calls and texts for nearly all of its mobile-phone users for a six-month period in 2022, one of the biggest breaches of private communications data in recent memory.

The company said in a regulatory filing Friday that the breach, which hasn’t been previously disclosed, also included those records from customers of wireless service providers that used AT&T’s network between May 1, 2022 and Oct. 31 of that year. The company said it learned in April that the information was illegally downloaded from a workspace on a third-party cloud platform, which a spokesperson identified as Snowflake Inc.

Records from Jan. 2, 2023 were also compromised for a “very small” number amount of customers, AT&T said. […]

Last month, Snowflake said that hackers had targeted its customers. The intruders used stolen login details to access the accounts of as many as 165 Snowflake customers — including Lending TreeAdvanced Auto Parts Inc.Pure Storage Inc. and Ticketmaster — and steal data. The hackers didn’t breach Snowflake but used credentials that were available in places like cybercriminal forums to access customer accounts, which lacked security measures such as multifactor authentication.

Read more here.