On July 4th, 2024, a threat actor posted nearly ten billion unique passwords to a dark web forum. This was the second large dump of passwords from the threat actor calling themselves ObamaCare on the forum. Given that the threat actor’s first dump was in 2021 and contained 8.4 billion passwords, security researchers assess that the recent dump of 10 billion passwords simply contains only 1.5 billion new passwords.
What’s New and Notable
- The threat actor claimed some of the passwords were stored encrypted, but they were able to decrypt those passwords using Nvidia’s RTX 4090 graphic cards. Security researchers previously warned in 2022 that threat actors could use 8 cards to crack 8-character passwords in 48 minutes. By combining old passwords and this password cracking technique, at least some of the passwords can now be used for credential stuffing attack against online login panels.
- This is one of the largest password dumps to date, but the size of these dumps are only going to grow as each new iteration contains the previous passwords and as more data becomes available from compromises.
Analyst Comments
While these types of password dumps are very common, they are only likely to increase as more data becomes available. The recent compromises of Snowflake’s cloud data analytics instances provide both an example of the source and the repercussions of large password breaches. As companies retain more and more data in cloud environments to enable artificial intelligence models, the size and scale of data breaches is only going to grow. Additionally, large dumps of passwords provide useful resources for other threat actors. The threat actors compromising Snowflake instances are primarily using login and password combinations posted to the dark web.
In Arete’s dark web search and monitoring engagements, leaked credentials are the most common finding. Users’ tendency to reuse passwords means even third-party data breaches not directly pertaining to a user’s employer can still result in a compromise of the employer. The National Institute of Standards and Technology (NIST) consequently recommends monitoring for exposed credentials and changing passwords after a breach finding in order to prevent password dumps like this one from resulting in broader compromises.
Sources
Close to 10 Billion Passwords Exposed in Possibly the Biggest Leak Ever
Eight RTX 4090s Can Break Passwords in Under an Hour
NIST Special Publication 800-63-3 Digital Identity Guidelines
Related Resources
![]()
The Return of Bumblebee Loader
After its disruption in May 2024, Bumblebee is back in the cyber ecosystem, using a new infection chain with LNK, PowerShell, and MSI files to drop additional malware.
Read more![]()
Red Team Tool Used to Disrupt Endpoint Security Solutions
Researchers observed criminals using the red-team tool EDRSilencer in cyberattacks. This open-source tool, designed for penetration testing, can detect EDR processes and monitor, modify, or block their outbound network communications.
Read more![]()
Recent Sanctions Reveal LockBit and Evil Corp Links
The US Department of the Treasury’s Office of Foreign Assets Control sanctioned seven individuals for their association with the Evil Corp cybercriminal group.
Read more
