Nearly 10 Billion Passwords Leaked in Biggest Compilation of All Time
The world’s largest compilation of passwords to be leaked online has been discovered by a research team at Cybernews, containing 9,948,575,739 unique plaintext entries. The credentials were discovered in a file named “rockyou2024.txt” that was posted on a popular hacking forum on July 4, 2024.
Many of the so-called RockYou2024 passwords have already been leaked in previous data breaches. This is not the first RockYou data dump either, as the name has been associated with a number of large-scale password leaks since 2009.
The user who posted RockYou2024, who has the username “ObamaCare,” has been responsible for multiple data dumps since creating their account in May 2024. They have shared an employee database from law firm Simmons & Simmons, a lead from online casino AskGamblers and student applications for Rowan College at Burlington County in New Jersey.
RockYou is a defunct social application site and, in 2009, more than 32 million of its users’ account details were exposed after a hacker got hold of the plaintext file where they had been stored. In June 2021, another text file was posted named “rockyou2021.txt.” This 100GB file contained 8.4 billion passwords, making it the largest ever password dump at the time.
How this password leak heightens the risk of credential stuffing attacks
The Cybernews team believes that RockYou2024 has all the passwords from RockYou2021, plus another 1.5 billion new passwords. In total, the file contains information from more than 4,000 databases.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” researchers said. “Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”
Credential stuffing attacks, where attackers use automated tools to try stolen username-password pairs on different websites to test if credentials have been reused, are relatively common.
DOWNLOAD: Best Practices for Password Creation and Storage from TechRepublic Premium
In June 2024, a threat actor managed to access the Snowflake cloud data platform through a successful credential stuffing attack and was able to extract data from 165 of their clients.
In November 2023, hackers were able to steal the personal and genetic information of 6.9 million people from 23andMe after leveraging stolen account sessions and legitimate login credentials. The company blamed its users for the breach, saying they “negligently recycled” their details in a letter acquired by TechCrunch.
RockYou2024 could offer threat actors a new source of passwords to try in credential stuffing attacks to help them gain unauthorised access to individuals’ online accounts. These accounts could be for online and offline services, IoT cameras and industrial hardware.
“Combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the Cybenews team said.
Advice for mitigating the risk of credential stuffing attacks
Jake Moore, global cybersecurity advisor at security firm ESET, told TechRepublic: “User credentials are constantly being caught up in data breaches and they end up being collected and stored in large databases on the dark web.
“Therefore, these days there is no excuse for not using a unique password for every account – especially as data breaches continue to increase. Criminals can exploit known credentials across multiple accounts and many people using the same password across different sites are at risk of being compromised.
“Fortunately, passphrases and password managers are now easier to use and integrate into daily life. They handle the difficult task of generating and securely storing complex passwords and other codes so we don’t have to remember them. Additionally, combining this with multi-factor authentication for all accounts enhances security and helps better protect people’s accounts.”
SEE: 8 Best Enterprise Password Managers for 2024
Tips for anyone impacted by the RockYou2024 breach
The Cybernews researchers have made a number of recommendations for the individuals and organisations impacted by the RockYou2024 breach. These are:
- Immediately reset all passwords that appeared in the data breach. Ideally, new passwords should be strong and unique to their account.
- Enable multi-factor authentication.
- Utilise password manager software that generates and stores complex passwords that are unique to each account.