A Cybernews research team has discovered the world's largest collection of passwords leaked on the internet, containing 9,948,575,739 unique plaintext entries. The credentials were discovered in a file named “rockyou2024.txt” that was posted on a popular hacking forum on July 4, 2024.
Many of the passwords named RockYou2024 have been leaked in previous data breaches. This is also not the first RockYou data breach, as the name has been associated with a number of large-scale password leaks since 2009.
The user who posted RockYou2024, who goes by the username “ObamaCare,” has been responsible for multiple data dumps since creating his account in May 2024. He has shared an employee database for the law firm Simmons & Simmons, a lead from the online casino AskGamblers, and student applications for Rowan College in Burlington County, New Jersey.
RockYou is a social app that no longer exists, and in 2009, account data for over 32 million users was exposed after a hacker got hold of the plain text file where it was stored. In June 2021, another text file called “rockyou2021.txt” was published. This 100GB file contained 8.4 billion passwords, making it the largest password dump in history up to that point.
How this password leak increases the risk of credential theft attacks
The Cybernews team believes that RockYou2024 has all of RockYou2021's passwords, plus another 1.5 billion new passwords. In total, the archive contains information from more than 4,000 databases.
“In essence, the RockYou2024 leak is a collection of real passwords used by people around the world,” the researchers said. “Revealing so many threat actors’ passwords substantially increases the risk of credential theft attacks.”
Credential theft attacks, where attackers use automated tools to test stolen username and password pairs across different websites to check whether credentials have been reused, are relatively common.
DOWNLOAD: Best practices for creating and storing passwords from TechRepublic Premium
In June 2024, a threat actor gained access to the Snowflake cloud data platform through a successful credential theft attack and was able to exfiltrate data from 165 of its customers.
In November 2023, hackers managed to steal the personal and genetic information of 6.9 million people from 23andMe after leveraging stolen account sessions and legitimate login credentials. The company blamed its users for the breach, claiming that they had “negligently recycled” their data in a letter obtained by TechCrunch.
RockYou2024 could offer threat actors a new source of passwords to test in credential-stealing attacks that help them gain unauthorized access to people’s online accounts. These accounts could be for online and offline services, IoT cameras, and industrial hardware.
“Combined with other databases leaked on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 may contribute to a cascade of data breaches, financial frauds and identity thefts,” the Cybenews team said.
Tips to mitigate the risk of credential theft attacks
Jake Moore, global cybersecurity advisor at security firm ESET, told TechRepublic: “User credentials are constantly getting caught up in data breaches and end up being collected and stored in large databases on the dark web.
“Therefore, there is no excuse today for not using a unique password for each account, especially as data breaches continue to rise. Criminals can exploit known credentials across multiple accounts, and multiple people using the same password across different sites are at risk of being compromised.
“Fortunately, passphrases and password managers are now easier to use and integrate into daily life. They take care of the difficult task of generating and securely storing complex passwords and other codes so we don’t have to remember them. Plus, combining this with multi-factor authentication for all accounts improves security and helps better protect users’ accounts.”
SEE: The 8 Best Business Password Managers for 2024
Advice for anyone affected by the RockYou2024 leak
Cybernews researchers have put together a number of recommendations for individuals and organizations affected by the RockYou2024 security breach. These are:
- Immediately reset all passwords that were exposed in the data breach. Ideally, new passwords should be strong and unique to your account.
- Enable multi-factor authentication.
- Use password management software that generates and stores complex passwords that are unique for each account.