‘Largest password leak ever’ exposes 10 billion credentials

The “largest password compilation” with approximately 10 billion unique passwords has been leaked on a popular hacking forum, presenting significant risks for users who reuse passwords.

Researchers at Cybernews uncovered a file named rockyou2024.txt, containing 9,948,575,739 unique plaintext passwords. This file was posted by a forum user known as ObamaCare, who only recently joined the forum but has been active in sharing data from various breaches.

The file is described by researchers as a mixture of old and new data breaches, pointing out that it does not represent a single new breach involving 10 billion passwords. They explained that the RockYou2024 leak includes passwords that are commonly used by people worldwide, thereby significantly increasing the risk of credential stuffing attacks where attackers use stolen passwords to attempt access to unrelated services.

For example, someone might use a password obtained from the Frontier Communications breach to see if you use the same password for your bank account.

The researchers elaborated on potential threats, stating, “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts.”

RockYou2021 data breach

They also showed that this compilation is an evolved form of a previous leak named RockYou2021, which had 8.4 billion passwords and originated from a 2009 data breach but had expanded significantly by 2021.

The team analyzed that attackers likely built the RockYou2024 dataset by collecting additional passwords from subsequent leaks, increasing the total by 15 per cent over three years. This compilation now includes data possibly accumulated from over 4,000 databases spanning more than two decades.

The team also warned that the extensive RockYou2024 compilation could be used to target any system vulnerable to brute-force attacks, ranging from online services to industrial hardware.

They also noted the compounding threat posed when this data is combined with other leaked information, such as user email addresses from other databases, which can lead to widespread financial fraud and identity theft.

What should users do?

Data security isn’t always within our control, especially in the face of constant data breaches. It’s important for users to take proactive steps and remain vigilant to prevent cybercriminal attacks.

Here are a few measures users can implement:

  • Reset passwords for any accounts sharing the same credentials (email and password)
  • Enable two-factor authentication (2FA) and multi-factor authentication (MFA) on all accounts to introduce an additional layer of security
  • Use a password manager to create and manage secure, complex, and unique passwords for different accounts effortlessly.

Featured image: Canva

Leave a Comment