The largest database of password leaks to date has been confirmed
The world’s largest collection of stolen passwords has been uploaded to an infamous criminal marketplace where cybercriminals trade such credentials. A hacker using the name “ObamaCare” has released a database containing nearly 10 billion unique passwords, believed to have been collected from numerous data breaches and hacks over many years. Here’s everything you need to know.
What you need to know about the RockYou2024 password database
Security researchers at Cybernews have uncovered what appears to be the largest collection of stolen and leaked credentials ever seen on the criminal underground BreachForums. The RockYou2024 compilation, which contains an astounding 9,948,575,739 unique passwords, all in plain text, includes an earlier credential database known as RockYou 2021, which contained 8.4 billion passwords, adding approximately 1.5 billion new passwords to the mix. These cover the period from 2021 to 2024, and the latest set of credentials is estimated to contain records from a total of 4,000 huge databases of stolen credentials spanning at least two decades.
“At its core, the RockYou2024 leak is a compilation of real passwords used by individuals around the world,” the researchers said, adding, “revealing that many passwords substantially increase the risk of credential stuffing attacks for threat actors.
RockYou2024 Brute Force Consequences
Credential stuffing attacks remain one of the most common and successful methods of gaining initial access to services and systems for criminal and state-sponsored hackers and ransomware affiliates.
Such threat actors could exploit the RockYou2024 password compilation to perform brute-force attacks and “gain unauthorized access to various online accounts used by individuals using the passwords contained in the dataset,” the research team said. This could include anything and everything from online services to internet cameras and even industrial hardware. Combined with other leaked databases on hacker forums and dark web marketplaces that contain email addresses and other credentials, the team concluded, “RockYou2024 may contribute to a cascade of data breaches, financial fraud, and identity theft.”
Security experts reveal how worried you should be and what you need to do now
“I know this may sound funny, but what’s another 1.5 billion passwords?” Daniel Card, self-proclaimed Cyber Ninja Warrior and founder of security consultancy PwnDefend, said. He’s right: once such databases reach a tipping point in terms of unique password size, it makes very little difference how many new ones are added. “When we look at how people create passwords,” Card said, “is that going to change the world? Probably not. I don’t think it changes the capabilities of threat actors in any meaningful way.”
Other security experts also agree with Card. “However complex this work is, it’s shocking and awe-inspiring at how terrible the state of identity and access management is and the lack of protection of that information,” Ian Thornton-Trump, chief security information officer. of the threat intelligence agency Cyjax said: “I think there is a point where the size of this aggregated data becomes almost unusable because of the sheer size of it.” Thornton-Trump admits that’s obviously a bad thing, but what’s really bad is the lack of multi-factor authentication that still exists in organizations around the world. “Maybe we need to look at regulation that forces MFA for any login on a software-as-a-service platform?” concludes.
What should you do in response to this massive plaintext password credential leak? My advice is to take a hard look at yourself and your attitude towards login security. Jake Moore, Global Cyber Security Advisor at ESET, would probably agree. “There is no excuse not to use unique passwords for every single account, as data breaches unfortunately continue to occur and increase,” Moore said. “Fortunately, password managers are easier to use and implement in everyday life than ever before. Plus, they offer the hardest part of generating passwords and securely storing these complex codes,” concludes Moore.
Use Cybernews to check if your passwords are exposed
Meanwhile, don’t panic too much about RockYou2024. Mind your business and take the utmost care in generating, storing and using passwords. Get a password manager up and running, 1Password and Proton Pass are solid choices, and Apple will introduce a general password manager app with the upcoming iOS 18 update. Oh, and start employing MFA wherever you can. You can check if any of your passwords are included in this latest database of RockYou stolen credentials using the Cybernews exposed password checker.