If Guinness has a world record for password leaks, then there’s a new all-time champion. Security experts say the largest password collection ever has been posted online, representing 8.4 entries altogether. That eclipses an earlier record of 3 billion passwords hacked in February.
The password collection -- dubbed “RockYou2021” by forum members -- is thought to be a compendium of passwords cobbled together from other data breaches. When CyberNews’ Edvardas Mikalauskas ran the numbers on the leak, he found them to be rather unnerving.
“Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over,” theorized Mikalauskas.
If a deft threat actor combined those 8.4 billion unique password variations with other breach compilations that contain usernames and email addresses, it could mean big trouble. They could potentially leverage the RockYou2021 collection to create password dictionaries and use password spraying attacks against a limitless number of user accounts.
“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if not billions,” Mikalauskas said.
What online users should do
Given the size and scope of the leak, anyone who does anything online should check if their passwords were compromised. To check whether your password is safe, there are several free and easy options you can use. They include:
CyberNews’ personal data leak checker and leaked password checker
Since the databases that each of these resources uses are likely not identical, it would be smart to check as many as possible just to cover all your bases.
If you don’t currently have any sort of software that includes identity theft protection, it might be a good time to consider checking one out. ConsumerAffairs has created a guide to antivirus and identity theft protection software that is available here.