10 billion passwords leaked in RockYou2024’s largest compilation

Cybernews uncovered the largest-ever password compilation.

What happened

Cybernews researchers discovered the largest password compilation ever, containing nearly 10 billion unique plaintext passwords, named RockYou2024. Posted on July 4th on a hacking forum by a user called ObamaCare, who previously shared databases from various organizations, this dataset includes passwords from both old and new breaches, verified through Cybernews’ Leaked Password Checker.

Researchers warn that the RockYou2024 compilation, consisting of real-world passwords, significantly increases the risk of credential stuffing attacks, where attackers use stolen passwords to gain unauthorized access to accounts.

What was said

Researchers told Cybernews that the “RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world.” The attack has increased the risk of credential stuffing attacks due to the cybercriminals having access to a large number of individuals' passwords. The “threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” said the researchers.

By the numbers

• RockYou2021 was discovered in 2021 and had a compilation of 8.4 billion social media passwords
• RockYo2021 was an expansion of a 2009 data breach that included tens of millions of user passwords.
• RockYou2024 was posted on a hacking forum with 9,948,575,739 passwords
• RockYou2024 is 15% larger than RockYou2021 (adding 1.5 billion passwords)
• RockYou2024 contains information collected from more than 4,000 databases, collected for more than 20 years.

In the know

Credential stuffing is a cyberattack method where threat actors use large sets of stolen usernames and passwords to gain unauthorized access to user accounts across various online platforms. These credentials are from previous data breaches or leaks. In a credential stuffing attack, the attackers automate testing the stolen credentials against multiple websites or applications, exploiting the common practice of users reusing passwords across different accounts. 

This method capitalizes on the fact that many individuals use the same password or slight variations across multiple services, making it easier for attackers to compromise numerous accounts at once. To mitigate this risk, individuals and organizations are advised to use unique, complex passwords for each account and enable additional security measures such as multi-factor authentication.

See also: HIPAA Compliant Email: The Definitive Guide

Why it matters

The RockYou2024 leak has significant implications for individuals, industries, and communities:

• It raises the risk of identity theft, compromised accounts, and increased stress. 
• Companies may face financial losses, reputational damage, and increased security costs.
• Communities may lose trust in digital services and local economies.

The dataset builds on previous breaches, showing a troubling trend of larger data leaks. The combination of the dataset with other leaked databases could lead to a cascade of data breaches, financial fraud, and identity theft. 

The event also shows the ongoing challenge of keeping up with sophisticated cyber threats and the importance of data protection, pushing the cybersecurity industry to develop more advanced protective measures and tools to prevent and mitigate such breaches.

Learn more: 5 Steps to improve password security in healthcare

FAQs

What makes a password strong?

A strong password typically includes a mix of upper and lower case letters, numbers, and special characters. It should be unique and not easily guessable based on personal information.

Learn more: Password guidelines by NIST

How can organizations protect against credential stuffing attacks?

Organizations should implement rate limiting on login attempts, monitor for unusual login patterns, educate users about password security, and use tools that can detect and block credential stuffing attempts in real-time.

See also: Common password attacks and how to avoid them

What is multi-factor authentication (MFA)?

Multi-factor authentication adds an extra layer of security by requiring users to provide two or more verification factors to gain access to an account. This typically includes something you know (a password) and something you have (e.g., a code sent to your phone).