10 Billion Passwords Exposed in Biggest Leak Ever
Researchers from Cybernews uncovered what appears to be the world’s largest compilation of leaked passwords, containing nearly 10 billion unique plaintext passwords. The stolen data file, rockyou2024.txt, was posted on a criminal underground forum, BreachForums, by a hacker nicknamed “ObamaCare” on July 4th.
Like the 26-billion-record-heavy data leak, Cybernews discovered earlier this year, the stolen data from RockYou2024 is likely the result of a collection from numerous data breaches. Cybernews believes the stolen passwords span 4000 databases over more than two decades.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” the media outlet explained.
The RockYou2024 password compilation could help bad actors hack systems that aren’t properly protected against brute force. Brute force hacking involves trying different combinations of usernames and passwords until successfully breaching an account.
Due to its vast size, Cybernews warns RockYou2024 “substantially heightens the risk of credential stuffing,” a form of brute force attack in which passwords obtained from one data breach can be used to compromise unrelated accounts. For example, if one’s Instagram password has been breached, the hacker might gain access to the person’s bank account using the same password.
The RockYou2024 compilation is an extension of the RockYou2021 password compilation that Cybernews uncovered three years ago. This compilation contained 8.4 billion plain text passwords and was also labeled the largest at that time.
According to Cybernews’ research, hackers have added another 1.5 billion passwords since 2021, increasing the compromised dataset by 15%. Moreover, researchers believe the RockYou2021 compilation is an expansion of a data breach from 2009, which included tens of millions of social media passwords.
Some sources that examined the RockYou2024’s dataset suggest that it’s partially “garbage” and unlikely to lead to significantly adverse scenarios. Ian Thornton-Trump, the chief security information officer at threat intelligence agency Cyjax, believes “the magnitude of this aggregated data becomes next to useless due to its vast size.”
Despite the different attitudes regarding RockYou2024, all experts agree that exercising caution toward password generation, storage, and use is critical when data breaches and cybercrime are on the rise.
Creating unique and strong passwords, resetting leaked passwords, and enabling multifactor authentication are some steps that provide greater password security. Alternatively, password managers handle all these tasks automatically, providing maximum protection.