Nearly 10 billion passwords exposed in massive leak
Believed to be an expansion of a similar leak in 2021
Researchers have uncovered a massive data breach, exposing nearly 10 billion unique passwords.
Dubbed RockYou2024, the leak is believed to be the largest ever discovered, putting countless online accounts at risk.
Cybernews researchers first identified the leak, contained in a file named "rockyou2024.txt," which was uploaded to a hacking forum on 4th July.
It was posted by a user named ObamaCare who registered just two months prior. The user has a history of sharing breached data, including employee records from the law firm Simmons & Simmons and student applications for Rowan College at Burlington County in the USA.
The file contains a mix of old and newly breached passwords, making it a goldmine for attackers.
The leak is likely to raise the risk of credential stuffing and brute force attacks.
"In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.
In credential stuffing technique, hackers exploit stolen login credentials from one source to gain access to accounts (with reused credentials) on other online platforms. A recent wave of attacks targeting companies like Santander and Ticketmaster exemplifies the potential damage of credential stuffing.
RockYou2024 also empowers brute-force attacks, where hackers automate the process of trying millions of password combinations until they crack an account.
The threat extends beyond online accounts. Hackers can exploit these passwords to target virtually any system lacking robust security, including internet-facing cameras and even industrial hardware.
When combined with other leaked databases containing usernames and other credentials, RockYou2024 could fuel a wave of data breaches, financial fraud and identity theft.
The RockYou2024 leak isn't entirely new. It's believed to be an expansion of the RockYou2021 compilation, unearthed three years ago, which exposed 8.4 billion passwords.
Researchers believe attackers compiled RockYou2024 by scouring the internet for breached data over two decades. While the majority of passwords in RockYou2024 originated from older incidents, nearly 1.5 billion were added between 2021 and 2024.
Security experts are now urging individuals and organisations to take immediate steps to mitigate the risks. This includes implementing strong password policies by enforcing complex, unique passwords for all accounts; as well as enabling two-factor authentication (2FA), which adds an extra layer of security by requiring a second verification code when logging in.
Cybernews says it will soon integrate RockYou2024 data into its Leaked Password Checker, allowing users to verify if their credentials were compromised. This online tool can help identify if your credentials have been compromised in a known breach.
Earlier this year, researchers found a supermassive dataset around 12TB in size, containing over 26 billion records from "thousands of meticulously compiled and reindexed leaks, breaches, and privately sold databases."