Researchers claim to have discovered what appears to be the largest password cache ever discovered, with 9,948,575,739 unique plaintext passwords inside.
The file, titled 'rockyou2024.txt', contains passwords stolen in a mix of old and new attacks, making it a brute-force attacker's dream.
“In essence, the RockYou2024 leak is a collection of real-world passwords used by people around the world. Revealing so many threat actors’ passwords significantly increases the risk of credential theft attacks.” Cyber News Researchers say.
Brute force and credential theft are a treasure
The .txt file was posted on July 4 by a user with the username 'ObamaCare', who has shared leaked passwords from various sources since registering in May 2024.
Discussing the potential dangers of the password leak, the research team said: “Threat actors could exploit the RockYou2024 password collection to perform brute-force attacks and gain unauthorized access to various online accounts used by individuals employing passwords included in the dataset.”
The passwords were compiled from a series of data breaches spanning two decades, with 1.5 billion passwords added to the archive between 2021 and 2024.
Brute force is an attack technique used by hackers to access accounts by combining username and password combinations until they gain entry. By automating the process, an attacker can easily try millions of passwords. A system that is not protected against brute force attacks could quickly succumb to an attacker using this password database.
Similarly, the file could also be especially useful to an attacker using a technique called credential theft. By using a database of stolen passwords, particularly those stolen from the target organization, an attacker would have a much higher chance of success in breaching a user account. Both online and offline services are at risk, as well as internet-connected cameras and industrial hardware, the report says.
“Furthermore, combined with other databases leaked on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 may contribute to a cascade of data breaches, financial frauds and identity thefts,” the research team added.
To protect yourself or your organization from a potential attack using this 10 billion-credential credential archive, researchers recommend implementing mitigation strategies, as well as verifying credentials with the Leaked Password Checker.
