19 Billion Stolen Passwords For Sale Online — New Warnings Issued
I recently reported how an incredible 19 billion stolen passwords had been found to have been published on the dark web and criminal marketplaces online. That article went viral in a way I never expected, but that's a good thing considering what has emerged since. Two new warnings have been issued, which are of particular importance given the ongoing reports of compromised passwords and how they are being used in cyberattacks. Take heed of these warnings now and ensure you are not the next victim.
Although you might think you are on top of the whole password construction and usage thing, the chances are that is not actually the case for far too many people. I mean, after all, when one new report reveals that there were 2.9 billion unique yet compromised passwords available on dark web forums and Telegram channels across 2024, you have to wonder whose passwords you are using. If you don't follow strictly random processes for creating long and strong passwords, such as employing a password manager to generate them for you every time, along with secure management practices to prevent reuse, did I mention password managers already, then you are likely part of the problem, my friend.
The 2025 password table, published by Hive Systems, brings real-world insight into how quickly your password can be cracked. I should, at this point, say that I'm not a huge fan of the how long does it take to crack a password approach to credentials security, not least as the propensity of infostealer malware rather makes that irrelevant, but it serves a purpose to illustrate password construction hygiene anyway. The newly published password table report, authored by Corey Neskey, vice president of quantitative risk at Hive Systems, focuses on a hacker using a black box process starting from scratch to crack an unknown hash. But Neskey acknowledged that 'if your password was part of another breach or uses dictionary words, then your password table looks like this,' the this being a table with just the word 'instantly' repeated over and over.
Marcus White is a cybersecurity specialist at Specops who specializes in authentication, password security, password management, and compliance. He is, without any shadow of a doubt, a password expert. A May 13 report authored by White goes into some detail about the passwords that hackers are using to specifically attack file transfer protocol ports. While this m ight seem rather niche, it's nothing of the sort. FTP is one of those things that hackers like to attack, often using brute force, because it's usually an easy route into your network. Indeed, Specops research team has been analysing the last 30 days of FTP port attacks against live networks to determine the most common passwords used by the threat actors concerned. 'Knowing the tactics real-world attackers are using,' White explained, 'can help you shape your organization's password policy and defend against brute-force attacks.' Importantly, brute-force attacks will use known passwords and username combinations until access is achieved. Can you guess where a lot of these credentials come from? Bingo! Those infostealer logs.
As cybersecurity expert at threat exposure platform NordStellar, Vakaris Noreika, told me, the threat from infostealer malware is far greater than most people imagine. It's not just the fact that so many passwords, and other credentials such as session cookies to bypass two-factor authentication protections, are being stolen, but also the ease of access that cybercriminals have to them. "Dark web users can purchase stealer logs by subscribing to a private channel,' Noreika said, referring to Telegram channels where such access to millions of compromised passwords can be had for as little as $81.
So, how do you solve a problem like stolen passwords at scale? You are probably not going tomorrow like this much, but that answer is an obvious one: stop using the darn things. Why risk your carefully constructed, seemingly strong password when you can just use a much more secure and infinitely harder to compromise passkey? If you can't yet use a passkey for any service, then please, don't reuse your passwords.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Gizmodo
an hour ago
- Gizmodo
Top-Rated VPN, Bottom-Line Price: This Deal Is Stealing the Show
When something is so affordable yet excellent, it disappears in the blink of an eye. NordVPN's eye-catching deal lasts for quite a while, but we're afraid it'll end soon. Blink once or twice, and you'll miss out on it. If you're reading this article, you may still have a few days left. NordVPN breaks the boundaries of cheap VPNs by introducing a crafty gift to spice up the formula. More information is below. Don't quit now. Explore NordVPN Discounts NordVPN's biennial plans have always sparked attention among VPN enthusiasts. How can a VPN this popular be so affordable? We'll leave this question open and immediately jump to the best-value plan: NordVPN Plus. This one is 70% off and costs only $4.39 monthly for the first 24 months. With NordVPN, malware and ad-blocking, and NordPass (our favorite password manager), you'll get more than you've bargained for. But then, NordVPN spawns two more plans: Complete and Prime. The former's price of $5.39 monthly won't last long. It includes 1 TB NordLocker on top, while the latter, at $7.39 monthly, includes NordProtect. Serious packages at not-so-serious prices. NordVPN must be joking. Luckily, it's not, and when you hear about a 30-day money-back guarantee, you'll reach for that credit card in your back pocket. Testing NordVPN for a month risk-free sounds exciting, but a longer ride might be even smarter. We excluded one piece of information; fortunately, a good one. NordVPN's Plus, Complete, and Prime plans come with a twist or, better said, a gift. If you use the VPN for at least 30 days, each plan includes a $20, $40, or $50 Amazon gift card. They're issued from the 31st to the 50th day, and you can use them if you're from the USA, Australia, or Canada. If you were planning an Amazon haul, these fifty bucks can be a much-needed backup. Remember that NordVPN's Basic plan is excluded from the promotion. At the same time, it's only $3.39 monthly and is a staggering deal if you need only the VPN. At just a dollar more, the Plus deal makes more sense. NordVPN is more than a VPN, especially with all the tech surrounding it. Amazon gift cards are a fantastic offer, but we're confident that NordVPN alone is enough to knock your socks off. As the world's leading VPN, NordVPN offers: Believe it or not, we just scratched the surface with this list. Our NordVPN test offers more information. If you'd rather test the VPN yourself, you have nothing to lose by immediately opting for this refreshing summer deal. Try NordVPN Risk-Free
Yahoo
8 hours ago
- Yahoo
Microsoft will soon delete your Authenticator passwords. Here are 3 password manager alternatives
Users of Microsoft apps are having a rough year. First, in May, the Windows maker shut down the popular VOIP calling app, Skype, for good. Microsoft said it was done so that the company could focus on its latest communications app darling, Microsoft Teams. What is fractional leadership, and why is it booming now? Why setting boundaries makes you more valuable at work 5 companies that could hit a $4 trillion market cap after Nvidia Now, Microsoft has announced that it is nerfing one of its most popular mobile apps, too. While not shutting the app down completely, Microsoft Authenticator is about to go through a radical downgrade. The app previously acted as a password manager and authentication app, but starting this month, Microsoft has stripped Authenticator's ability to autofill your saved passwords. And come August, Microsoft will delete all your saved passwords from Authenticator. This means that just as users of Skype needed to find a new VOIP app, those who use Microsoft Authenticator as a password manager will need to hurry up and find a new one. Here's why Microsoft is making its changes to Authenticator, and the alternative password managers you may want to migrate to before the August deadline. Microsoft first introduced Authenticator in 2016 as a stand-alone app used to manage two-factor authentication security codes. In 2020, it added password management support to Authenticator, making the app a one-stop shop for autofilling passwords and security codes on websites. However, in 2020, Microsoft also introduced its new Edge browser, and since then, Edge has become a top priority for the company. And Microsoft has now decided that Edge should act as a Microsoft user's password manager of choice, partly due to the fact that the Edge browser supports multiple platforms: Windows, Mac, iOS, Android, Linux, and more, while Authenticator only supports iOS and Android. The logic here is that if Edge is now your password manager, all your passwords will be accessible on every device logged into Edge. To facilitate this transition, Microsoft will automatically transfer a user's saved passwords from Authenticator to Edge before permanently deleting them from Authenticator next month. This move is great for people who don't mind a web browser serving as their password manager. However, many people prefer a dedicated password manager app because it is usually more versatile, offers advanced features like password sharing, and integrates seamlessly with various desktop and mobile browsers. If you are in that second group, you'll want to export your passwords from Authenticator before they are deleted and import them into a new dedicated password manager app—but which one to use? There is no shortage of dedicated password managers out there. However, if you are moving from Microsoft Authenticator, there are three in particular that you might want to consider: Apple Passwords: This is Apple's designated password manager, which the company introduced last year. The biggest advantage of Apple Passwords is its clean, simple interface. It lets you store not only your passwords, but your passkeys and security codes, too. The Apple Passwords app is perfect if you operate primarily in Apple's ecosystem, but the app also supports Windows PCs (via the iCloud app) and major browsers, including Chrome and Firefox. The app is also free to use. However, Apple Passwords does not support Android, so if you have a 'droid, it's best to consider using one of the two password managers below. 1Password: One of the most popular password managers on the planet is 1Password. It's also one of the most versatile. Not only does it support passwords, passkeys, and security codes, but you can also save identity and credit card information and even important documents. 1Password supports all major platforms, including Windows, Mac, iOS, Android, and Linux. One drawback, especially if you are used to Microsoft Authenticator, is that 1Password is a paid app. Individual plans start at $2.99 per month. Bitwarden: In addition to 1Password, there is another other cross-platform password manager champ: Bitwarden. Like all good password managers, it offers robust password management and passkey support. It also supports all the major platforms, including Windows, Mac, iOS, Android, and more. Best of all, Bitwarden offers a free tier of the app, allowing anyone to use its password management feature. However, if you want a password manager that also handles your security codes, like Authenticator does, you'll need to upgrade to a Bitwarden plan, which starts at $10/year. If you do switch to one of the above apps, you'll need to transfer your passwords from Microsoft Authenticator to the app you choose. Just do it quickly. Microsoft will delete all your passwords stored in Authenticator on August 1, 2025. From that date, you'll need to download Microsoft Edge and export them from the company's web browser instead. To export your passwords from Authenticator before the August deadline, follow Microsoft's instructions here. This post originally appeared at to get the Fast Company newsletter:
Forbes
12 hours ago
- Forbes
From Vibe Coding To Vibe Hacking — AI In A Hoodie
Is vibe hacking the next big cyber thing? Artificial intelligence, or at least the AI that we know from the use of large language models and, in particular, the various generative pre-trained transformer services that we have become so accustomed to, has already been weaponized by threat actors. We've seen attack after attack against Gmail users employing AI-powered phone calls, 51% of all spam is now reported as generated by AI, and deepfakes have been a cybersecurity issue for the longest time. But just how advanced is the AI cyberattack threat and, more importantly, how close are we to fully autonomous attacks and vibe hacking emerging from the vibe coding phenomenon? From Vibe Coding To Vibe Hacking — The Reality Of AI In Cyberattacks Vibe coding isn't what a lot of people seem to think it is. I've seen numerous folk, many of whom should know better, describe it as a method of letting AI generate code from nothing and develop an application from scratch, without requiring coding input from the 'programmer' directing it so to do. This is, of course, a nonsense seeded with more than a little reality. Vibe coding makes the life of a developer much easier, delegating some of the programming to AI, based on outcomes, but it doesn't negate the requirement to provide direction and demonstrate a high level of understanding. That said, LLMs and vibe coding are making leaps and bounds in producing surprisingly efficient code. But what about hackers using the same techniques, vibe hacking, if you will, to do the same with cyberattacks? Using LLMs to discover and exploit vulnerabilities, reliably and with malicious impact? According to Michele Campobasso, a senior security researcher at Forescout, there is 'no clear evidence of real threat actors' doing this. Rather, Campobasso said, 'most reports link LLM use to tasks where language matters more than code, such as phishing, influence operations, contextualizing vulnerabilities, or generating boilerplate malware components.' Vibe hacking has a long way to go to catch up to vibe coding, it would seem, according to the latest analysis by Campobasso. 'Between February and April 2025,' Campobasso said, 'we tested over 50 AI models against four test cases drawn from industry-standard datasets and cybersecurity wargames.' The results were, to say the least, informative: 'Attackers still cannot rely on one tool to cover the full exploitation pipeline,' Campobasso said. LLMs produced inconsistent results, with high failure rates. 'Even when models completed exploit development tasks,' Campobasso said, 'they required substantial user guidance.' To conclude, Campobasso stated that we are 'still far from LLMs that can autonomously generate fully functional exploits,' while the 'confident tone' of the models, when incorrect, will mislead the inexperienced attackers most likely to rely upon them. The age of vibe hacking is approaching, although not as fast as the vibe coding phenomenon would imply, and defenders should start preparing now. Luckily, this isn't too difficult, according to Campobasso. 'The fundamentals of cybersecurity remain unchanged: An AI-generated exploit is still just an exploit, and it can be detected, blocked, or mitigated by patching.'
