The first access key for cyber-criminals to hack profiles, documents, sensitive data and anything else is the “password” indispensable together with the account: obviously we are talking about the password that we all use in our daily lives to navigate social networks, emails and the various profiles that require them. Well, Cybernews researchers have discovered what appears to be the largest collection of passwords stolen found to date that has almost 10 billionan enormity.
What happens in the database
The never-ending data file, called rockyou2024.txt, was posted on July 4 by a cybercriminal on a forum called “ObamaCare.” Although he was registered just over a month ago, he had previously shared a database of stolen passwords from employees of the law firm Simmons & Simmons, another archive of sensitive online casino data, and student applications from Rowan College of Burlington County. The team cross-referenced the passwords in the RockYou2024 leak with previous data and found that all of the passwords came from a mix of old and new data breaches.
What is Credential Stuffing?
“At its core, the RockYou2024 leak is a collection of real-world passwords used by individuals around the world, and it reveals that many of these passwords substantially increase the risk of ‘credential stuffing’ attacks.“, the researchers explained. But what does this English expression mean? Literally translated as “credential stuffing”, cybercriminals use it to use them on thousands of different web platforms, from private users to companies.
Some experts explain that credential stuffing is a method of “attack computer science where attackers use lists of compromised user credentials to violate a system and is based on the assumption that many users reuse usernames and passwords across multiple services. Statistics show that approximately 0.1% of compromised credentials attempted on another service will result in a successful login,” explains Imperva, an American software and services company.
How to protect yourself
It is easy to understand that the main targets are data for accessing email, social networks and home banking. To protect yourself, there are simple and basic rules that will make life difficult for hackers: first of all, it is a good idea to activate thetwo-factor authenticationor access to a restricted area via a six-digit code that will be automatically generated after we have correctly entered our password. The same goes for facial recognition or fingerprints (in devices that provide them) to authenticate that we are the ones accessing and not a malicious person.
The second rule is even simpler: passwords must be change often (maximum every two-three months) and must be complex. What does this mean? That it would be good practice to enter at least one capital letter, at least one or two numbers and also a special character (such as exclamation points, brackets, etc.). To be sure that one of our accounts has been hacked, there are some websites that, after entering the address you want to check, give you an overview of the situation: one of these is called haveibeenpwned.com, another is cybernews.
com/password-leak-check.
Anyone who discovers that their email or social profile has been hacked should immediately change their login credentials, thus preventing further attempts by cybercriminals.