10 Bn passwords leaked | OpenAI hacked?
CyberInsights #147 - The RockYou file contains 10 Bn passwords | An alleged breach for OpenAI in 2023 went unreported
A database of 10 billion passwords leaked on the dark web
RockYou2024.txt contains 10Bn passwords. About 2 Bn more than RockYou2021.txt. It’s a good thing.
Users of password cracking software know that you have to provide a password file to the cracker. For the past 3 years, the default password file has been RockYou2021.txt. It contained 7 billion + passwords. It was muscle memory for seasoned penetration testers to use this database, set the cracker to stun, and return the next day to see if there were any results. Like all good things, the password database got an update too. The new RockYou2024.txt has 10 Bn + passwords. [LINK] [LINK]
While these passwords were used to feed password crackers with the juice needed to do their work, there were other uses as well. Leaked password databases allow users to check if their username or password has been a part of a hack or a leak. If yes, the password could be changed and new passwords could be generated. Many password managers provide a list of passwords that have appeared in a leaked database. Here is a screen grab from my trusty 1password - a password manager that I have been using for nearly a decade.
Take Action:
If you are a red teamer, you already would have tried to lay your hands on this database and started using it for testing using password cracking software and in credential stuffing attacks.
If you are on the protection side, do the following:
There are services like haveibeenpwned that check if your username has appeared in a compromised database. Ask all users to check their key user ids to see if they have appeared in a breach. If yes, ask them to change the compromised password.
Check if your corporate password manager has already incorporated this leak in their settings. If yes, run a scan of all stored passwords to alert compromised users and ask them to change their passwords.
Do the same for all your personal accounts. Enable MFA, while you are at it.
OpenAI suffered a data breach in 2023 and did not report it
The breach was internal chats and not customer data or source code, claims OpenAI
It does not seem like a good season for generative AI platforms. First, perplexity scanning websites in an unauthorized manner and now this piece of news.
As per the NYT, OpenAI suffered a data breach in 2023. They did not report it.
The breach, according to OpenAI, did not disclose information about customers or partners and hence did not warrant a disclosure.
Security practices at these large generative AI platforms are shrouded in secrecy and such pieces of news do little to raise the confidence of users.
Take Action:
There is not actionable from a data compromise here. However, keep an eye out for how you or your organization is using generative AI services. If you are using it for managing confidential data, then be doubly careful of the kind of data you share with these platforms. The data being used for training the AI is just one of your problems, it appears.