Skip to Main Content

Article

Largest Data Breach of All Time (So Far)

Share

Dark web password dump threatens online security

On July 4th, 2024, a threat actor posted nearly ten billion unique passwords to a dark web forum. This was the second large dump of passwords from the threat actor calling themselves ObamaCare on the forum. Given that the threat actor’s first dump was in 2021 and contained 8.4 billion passwords, security researchers assess that the recent dump of 10 billion passwords simply contains only 1.5 billion new passwords. 

 

What’s New and Notable 

  • The threat actor claimed some of the passwords were stored encrypted, but they were able to decrypt those passwords using Nvidia’s RTX 4090 graphic cards. Security researchers previously warned in 2022 that threat actors could use 8 cards to crack 8-character passwords in 48 minutes. By combining old passwords and this password cracking technique, at least some of the passwords can now be used for credential stuffing attack against online login panels.  
  • This is one of the largest password dumps to date, but the size of these dumps are only going to grow as each new iteration contains the previous passwords and as more data becomes available from compromises. 

Analyst Comments

While these types of password dumps are very common, they are only likely to increase as more data becomes available. The recent compromises of Snowflake’s cloud data analytics instances provide both an example of the source and the repercussions of large password breaches. As companies retain more and more data in cloud environments to enable artificial intelligence models, the size and scale of data breaches is only going to grow. Additionally, large dumps of passwords provide useful resources for other threat actors. The threat actors compromising Snowflake instances are primarily using login and password combinations posted to the dark web.

In Arete’s dark web search and monitoring engagements, leaked credentials are the most common finding. Users’ tendency to reuse passwords means even third-party data breaches not directly pertaining to a user’s employer can still result in a compromise of the employer. The National Institute of Standards and Technology (NIST) consequently recommends monitoring for exposed credentials and changing passwords after a breach finding in order to prevent password dumps like this one from resulting in broader compromises.

Sources

Close to 10 Billion Passwords Exposed in Possibly the Biggest Leak Ever

Eight RTX 4090s Can Break Passwords in Under an Hour

NIST Special Publication 800-63-3 Digital Identity Guidelines