Image: iStock/sasun bughdaryan

A list of leaked passwords discovered on a hacker forum may be one of the largest such collections of all time. A 100GB text file leaked by a user on a popular hacker forum contains 8.4 billion passwords, likely gathered from past data breaches, tech news site CyberNews said on Monday.

SEE: Extra security or extra risk? Pros and cons of password managers (TechRepublic)

Based on comments from the user, the passwords in the collection range from 6 to 20 characters with non-ASCII characters and white spaces removed. The user actually claimed that the list has 82 billion passwords.

But CyberNews refuted that claim, saying that its own test found around 10 times fewer entries, putting the figure closer to 8.4 billion. That’s still a substantial number, especially considering that there are 4.7 billion active internet users around the world.

The forum user named the collection RockYou2021, which CyberNews said it believes is a reference to the 2009 RockYou data breach in which social game developer RockYou was hit by an attack that exploited a SQL injection flaw. In this incident, the 32 million leaked passwords had been stored in an unencrypted format, making it easy for hackers to obtain them through brute force.

The 2021 version of RockYou contains so many passwords because it tapped into a host of leaked databases from the past, including the Compilation of Many Breaches (COMB), which revealed more than 3.2 billion unique pairs of emails and passwords in clear text. The only bright spot is that many of these passwords may be from inactive accounts or have since been changed.

“Any password leaks of large volumes are always alarming to hear and should be taken seriously,” said Blue Hexagon CTO and co-founder Saumitra Das. “Our own investigation of this report has shown that quite a large number of accounts passwords are recycled from previous breaches and not necessarily active.”

For now, users concerned about leaked passwords and other sensitive information are urged to take a few actions, as advised by CyberNews.

  • Use a reputable data leak checker where you can enter your email address to find out if your account may have been caught in a breach. Sites worth trying include Have I Been Pwned, Firefox Monitor, and Avast Hack Check.
  • If you know or even suspect that one of your accounts was caught in a data breach, change your password immediately.
  • Consider using a password manager to create, store and apply strong and secure passwords for your online accounts.
  • Enable multifactor authentication on any accounts where this method is offered.
  • Look out for an increase in spam and phishing emails through which attackers try to use your leaked email address to scam you.

And though passwords continue to seem like a necessary evil, other more secure authentication methods are available, especially for organizations.

“Companies and users need to treat these developments as a wake-up call to end their overblown reliance on passwords,” said Veridium’s chief revenue officer, Rajiv Pimplaskar. “Passwordless authentication methods such as phone as a token and/or FIDO2 security keys are now commonly available. Such solutions create an un-phishable connection between the user and the IT system and eliminate the need for a password, thereby reducing the attack surface and making the environment more resilient against cyberattacks.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays