Having a strong password is great when it comes to securing your account against traditional brute force and dictionary attacks. However, credential stuffing leverages passwords exposed in data breaches to crack accounts. More information about the different types of authentication attacks here.
Over the years there have been so many data breaches that it is easy to forget or miss the ones that are relevant to you. Fairly recently, a password collection referred to as “RockYou2021” was leaked, containing over 8 billion passwords. Not too long before that, over 3 billion unique pairs of emails and passwords was leaked in the “Compilation of Many Breaches” (COMB) data leak. A large portion of the data in these two data leaks are from data breaches that occurred in the past. This is why it is so important to update your old passwords.
Data Breaches containing Passwords in Plain Text
You may be surprised what companies have suffered data breaches that contained plain text passwords. This means that the passwords were stored in a clear and readable format, rather than obfuscating the passwords with encryption. Below is a quick look at who some you might be familiar with.
- Adobe, October 2013, ~153 million accounts
- Ancestry, November 2015, ~300,000 accounts
- Comcast, November 2015, ~590,000 accounts
- Fling, March 2011, ~40 million accounts
- League of Legends, June 2012, ~339,000 accounts
- Neopets, May 2013, ~27 million accounts
- Sony, June 2011, ~37,000 accounts
- Yahoo, July 2012, ~450,000 accounts
A quick search would allow you to easily find more details about these data breaches. Although in many cases the passwords for affected accounts were reset, this doesn’t nullify the damage caused by exposing plain text passwords. They are easily put to use in dictionary attacks. Many people reuse the same password across multiple services. This is painfully evident in the fact that 59% of the passwords from the Sony breach were reused in the Yahoo breach. Due to this, credential stuffing is extremely effective, as it can attempt username/password combinations across multiple different services.
Data Breaches containing Hashed Passwords
In layman’s terms, hashed passwords are passwords that have been converted into a value that cannot be reversed. What this means is that it is not possible to perform a calculation that converts the hashed password back to the original plain text password. However, the same plain text password will always result in the same hashed password, given that the same hashing method is used. This is a more secure way of storing passwords because hashed passwords that are exposed cannot be directly used to access accounts. Many notable companies suffered a data breach exposing hashed passwords.
- Adult FriendFinder, October 2016, ~170 million accounts
- Bitly, May 2014, ~9 million accounts
- Chegg, April 2018, ~40 million accounts
- Eatigo, October 2018, ~2.8 million accounts
- Imgur, September 2013, ~1.7 million accounts
- Last.fm, March 2012, ~37 million accounts
- LinkedIn, May 2016, ~164 million accounts
- MySpace, July 2008, ~360 million accounts
- Wishbone, January 2020, ~9.7 million accounts
- xHamster, November 2016, ~380,000 accounts
Rainbow Table Attacks
While hashed passwords are much more secure than plain text passwords, the specific list of data breaches mentioned above are vulnerable to a method known as the rainbow table attack. A rainbow table is a precomputed table of hash values. What this means is that password hashes are created beforehand from lists of plain text passwords or other sources. These password hashes are then compared to the data breach’s hashed passwords for matches. If any match, they will know the plain text password of that match.
There are methods of hashing passwords that are more effective against rainbow table attacks. Data breaches containing these more secure hashing methods are not mentioned above.
The Importance of Updating Old Passwords
Data breaches have exposed billions of passwords over the years. This is why it is important to update old passwords, and especially important not to reuse the same password across multiple accounts. There are resources such as haveibeenpwned that can inform if your email or password exists in a known data breach. However, it’s probably faster to update your old passwords into new, strong passwords, rather than worrying about whether your old password has been exposed.