Largest ever password leak in database confirmed
The world’s largest collection of stolen passwords has been uploaded to a notorious criminal marketplace where cybercriminals trade such credentials. A hacker using the name “ObamaCare” has posted a database of nearly 10 billion unique passwords believed to have been collected from numerous data breaches and hacks over many years. Here’s everything you need to know.
What You Need to Know About RockYou2024 Password Database
Security researchers at Cybernews have discovered what appears to be the largest collection of stolen and leaked credentials ever seen on the criminal underground forum BreachForums. The RockYou2024 compilation contains an astonishing 9,948,575,739 unique passwords, all in plaintext, and includes an earlier credentials database known as RockYou 2021, which contained 8.4 billion passwords, adding approximately 1.5 billion new passwords to the mix. These span the period from 2021 through 2024, and it is estimated that the latest credentials file contains entries from a total of 4,000 massive databases of stolen credentials spanning at least two decades.
“In essence, the RockYou2024 leak is a compilation of real passwords used by individuals around the world,” the researchers said, adding that “revealing that many passwords are shared by malicious actors significantly increases the risk of credential stuffing attacks.”
The Brute Force Implications of RockYou2024
Credential stuffing attacks remain one of the most common and successful methods of gaining first access to services and systems for criminal and state-sponsored hackers and ransomware affiliates.
Such threat actors could abuse the RockYou2024 password compilation to perform brute-force attacks and “gain unauthorized access to various online accounts used by individuals using passwords included in the dataset,” the research team said. This could include everything from online services to internet cameras and even industrial hardware. Combined with other leaked databases on hacker forums and dark web marketplaces, containing email addresses and other login credentials, the team concluded, “RockYou2024 could contribute to a flood of data breaches, financial fraud, and identity theft.”
Security experts reveal how concerned you should be and what to do now
“I know this might sound funny, but what’s 1.5 billion more passwords?” said Daniel Card, a self-proclaimed Cyber Ninja Warrior and founder of security consulting firm PwnDefend. He has a point: Once such databases reach a tipping point in terms of the size of unique passwords, it hardly matters how many new ones are added. “In terms of how people create passwords,” Card said, “is that going to change the world? Probably not. I don’t think it’s going to change the capability of the threat actors in any meaningful way.”
Other security experts agree with Card on this one. “While this aggregated work is a shock and awe moment in terms of how terrible the state of identity and access management controls is, and the lack of protection for that information,” said Ian Thornton-Trump, chief security information officer at threat intelligence agency Cyjax, “I think there comes a point where the sheer volume of this aggregated data becomes almost useless.” Thornton-Trump admits that’s a bad thing, of course, but what’s really bad is the lack of multi-factor authentication that still exists in organizations around the world. “Maybe we should be looking at regulations that enforce MFA for every login to a software-as-a-service platform?” he concludes.
So what should you do in response to this massive breach of plaintext password data? My advice is to take a hard look at yourself and your attitude to login security. Jake Moore, global cybersecurity advisor for security vendor ESET, seems to agree. “There really is no excuse not to use unique passwords for every account, as data breaches are unfortunately happening and increasing,” Moore says. “Thankfully, password managers are easier than ever to use and implement into everyday life, and they take the hard part out of generating passwords and securely storing these complex codes,” Moore concludes.
Check your passwords for vulnerabilities using Cybernews tool
In the meantime, don’t panic too much about RockYou2024. Just go about your business and exercise as much care as possible when generating, storing, and using passwords. Get a password manager—1Password and Proton Pass are good choices, and Apple is introducing a generic password manager app with the upcoming iOS 18 update. Oh, and start using MFA wherever you can. You can use Cybernews’ exposed passwords checker to see if any of your passwords are included in this latest RockYou database of stolen credentials.