Red binary code background with open black padlock icon showing password leak

Colonial Pipeline Hack Connected to Password Leak of 8.4 Billion Accounts; Attackers Got in via an Old VPN Account

A new password leak, the largest to date, contains over 8.4 billion credentials among which may have been the account used to get into Colonial Pipeline’s network.

Rather than a breach involving new and previously unpublished information, the “RockYou2021” password leak appears to be a “combination file” compilation that draws together passwords from prior data breaches. The total amount of login credentials (8,459,060,239 unique entries) it contains is almost double the amount of estimated internet users in the world, meaning that there are likely duplicate accounts as well as possible new connections between compromised usernames and related email addresses. It is unclear if the Colonial Pipeline hackers obtained the login that they used to breach the network from this leak specifically, but the compromised VPN password was found in one of the collections of dark web password leaks that comprises RockYou2021.

Password leak brings together many prior major breaches, makes “brute force” and fraud attempts easier

The 100GB “RockYou2021” TXT file was leaked to a dark web forum. Its 8.4 billion passwords are 6-20 characters long, with non-ASCII characters and white spaces removed. While security researchers are still poring through the contents, it is safe to assume that it combines credentials found in prior unrelated password leaks.

The name is a reference to the RockYou password leak of 2009, at the time the largest of its type. Hackers were able to breach the servers of the now-defunct RockYou social network service, accessing some 32 million usernames and passwords that were dumped in a text file named “rockyou2021.txt”.

While the new password leak likely contains little (if anything) in the way of new compromised accounts, it serves as a convenience tool for threat actors to try things like “brute force” and “spray and pray” login attacks. Saumitra Das, CTO and Cofounder, Blue Hexagon, added: “Any password leaks of large volumes are always alarming to hear and should be taken seriously; our own investigation of this report has shown that quite a large number of accounts passwords are recycled from previous breaches and not necessarily active.”

The information is very likely to be put to use in spam and phishing campaigns. It outstrips the largest prior combination file of this type, the Compilation of Many Breaches (COMB), which contained 3.2 billion leaked passwords.

Given the scope of the password leak, all internet users are being advised to change passwords that have not been changed recently. Any passwords that might be questionable should be run through a safe password leak checker, such as the Have I Been Pwned website. It is also extremely likely that there will be a broad uptick in spam messages and phishing texts and emails, most likely containing passwords and other elements of information from the leak. Heightened caution in clicking on email attachments is also advised.

Colonial Pipeline hacked using old VPN account

In related news, the Colonial Pipeline breach that crippled the East Coast’s fuel supply for about a week has been traced back to a single VPN login. The credentials appeared in a dark web password leak prior to the publication of RockYou2021. The login was outdated (no longer used by any employees), but still valid in the Colonial Pipeline network and apparently allowed the attackers to walk right in on April 29 given that multi-factor authentication was not in use. It’s unclear if the hackers obtained the login from one of these password leaks, but it had apparently been sitting there for anyone to use for some time. The attackers appear to have explored the system for a little over a week before sending the ransom note and activating ransomware.

There is still no strong evidence that Russian state-backed groups were involved in either of the attacks on Colonial Pipeline and meat packer JBS, but many cybersecurity experts believe the plagues of phishing and ransomware will not decline until “safe haven” countries such as Russia are somehow addressed. The Putin government has long turned a blind eye to criminal hackers operating out of the nation, granting them a great deal of latitude so long as they stay away from domestic targets and Russian allies. Joe Biden and Vladimir Putin are expected to meet for a discussion in Geneva on July 16, and Biden has said that he intends to make ransomware attacks out of Russia and the country’s tacit reputation as a safe harbor a point of discussion. The group responsible for the recent ransomware attacks, DarkSide, has said that it intends to disband due to the pressure put on it but will likely reform and be back under a different name before long.

While it is prudent for just about everyone to update passwords that have not been changed in some time in response to this breach (and consider additional personal security measures such as a password manager), the password leak is more likely to impact traditional targets of “credential stuffing” attacks (business networks) rather than the average person’s attempt-limited Gmail or Amazon login. David Stewart, CEO of Approov, feels that this is the key prompt for businesses to take a serious look at the security layer sitting behind passwords: “Ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified factors to gain access to your servers will ensure that your business is not affected by credential stuffing attacks based on breaches such as RockYou2021.”

Compromised VPN login password for the Colonial Pipeline #databreach was found in one of the dark web collections of the ‘RockYou2021’ #password leak. #cybersecurity #respectdataClick to Tweet

And Rajiv Pimplaskar, CRO of Veridium, adds: “Any security system is only as strong as the weakest link. Companies and users need to treat these developments as a wake-up call to end their overblown reliance on passwords. Passwordless authentication methods such as phone as a token and / or FIDO2 security keys are now commonly available. Such solutions create an un-phishable connection between the user and the IT system and eliminate the need for a password thereby reducing the attack surface and making the environment more resilient against cyber attacks. Also, these authenticators offer less friction as compared to traditional Multi Factor Authentication (MFA) which improves user experience and productivity.”