All products are independently selected by our experts. To help us provide free unbiased advice, we earn an affiliate commission if you buy something. Click here to learn more
One of the largest databases of leaked passwords everappeared online, security researchers have warned. A massive trove of stolen credentials — with approximately 9,948,575,739 unique passwords stored in plain text — was posted on a forum popular with hackers late last week.
The file, called RockYou2024.txt, is full of stolen passwords that could set off “a cascade of data breaches, financial fraud and identity theft,” according to experts at CyberNews, who first uncovered the database shared by a forum user known only as ObamaCare.
The database appears to be a mix of old and new data leaks.
“At its core, the RockYou2024 leak is a compilation of real-world passwords used by individuals around the world. Revealing that many passwords to threat actors substantially increases the risk of credential stuffing attacks,” the researchers said.
Credential stuffing is a popular form of attack where hackers use stolen credentials from one site to try to log in to another. If you reuse the same username and password for multiple services, websites and apps, you will be vulnerable to this type of cyber attack.
The recent spate of attacks against Santander, Ticketmaster and QuoteWizard are widely believed to be a direct result of credential stuffing attacks by victims of popular cloud service provider Snowflake.
And now the team at CyberNews believes the same could happen with the latest database, warning: “Threat actors could exploit the RockYou2024 password compilation to perform brute-force attacks and gain unauthorized access to various online accounts used by individuals who use the passwords contained in the database.” set.”
The database of stolen passwords was shared on a popular hacking forum by someone with the username ObamaCare. Experts verified that the text file contained millions of passwords, based on a data file originally released on the same forum three years ago.
CYBERNEWS PRESS OFFICE
RockYou2024.txt builds on an earlier leak, RockYou2021.txt, which was shared by hackers online three years ago.
At the time, this text file, full of stolen usernames, email addresses and corresponding passwords, was the largest stolen data set of all time. — a record that has since been broken by a leak that researchers are calling the “mother of all breaches”. About 1.5 billion passwords have been added to the database since RockYou2021.txt was launched, putting millions more at risk of attack.
There is no easy fix for anyone whose passwords are included in the RockYou2024.txt database.
However, the CyberNews team shared some advice for those looking to protect themselves against credential stuffing or other types of post-breach attacks:
- Immediately reset passwords for All accounts that rely on a password contained in the database
- Create a unique alphanumeric password for each online account
- Enable multi-factor authentication, such as a one-time code sent to your phone number, to protect your accounts
- Use a password manager to store and manage complex passwords
- Use tools like haveibeenpwned.com/ to check whether your data has been breached
A dizzying database of leaked passwords is coming a few days after new research from Kaspersky has proven that millions of popular passwords can be cracked in less than a minute, thanks to improvements in computer hardware and smarter algorithms equipped with artificial intelligence to crack online accounts.
According to Kaspersky, hackers attempted to crack passwords 32 million times last year alone. This number is likely to increase as it becomes easier and easier to crack passwords using the latest algorithm and hardware.
Kaspersky researchers used a combination of the latest algorithms and an Nvidia RTX 4090 A £1,549 GPU for trying to crack a database of 193 million passwords discovered on the dark web. All stored passwords were hashed and salted – meaning the researchers still had to guess them correctly to get in.
If your password is 8 characters or less, it can be cracked in just 17 seconds, researchers have found. Most of these passwords were either lowercase or uppercase English letters with a few numbers, showing the importance of using special characters such as symbols to make the password harder to crack.
A total of 45% of all passwords analyzed from the database – 87 million – could be guessed within a minute.
Most of the passwords examined by the researchers contained at least one word from the dictionary, which significantly reduces the strength of the password and makes it more susceptible to brute force-style attacks.
As researchers cracked millions of passwords, certain patterns began to emerge. To create a strong, unique password to protect your account, avoid some of these popular patterns —
Popular words
- forever
- love
- a hacker
- player
Common names
- daniel
- Kevin
- ahmed
- Nguyen
- Kumar
Standard passwords
- Password
- qwerty12345
- admin
- 12345
- team
Kaspersky analyzed millions of hashed and salted passwords shared by hackers on the dark web to see how long it would take to crack accounts
KASPERSKY
Kaspersky used a brute-force algorithm, a technique, to achieve these results very popular among hackers. It tries all possible combinations of passwords by going through a list of words from the dictionary, as well as different types of characters, numbers and more.
The researchers tried to improve upon the initial results by programming the algorithm to consider popular character combinations, common names and sequences.
Hackers have also developed clever algorithms that try to replace characters like ‘a’ with ‘@’ or ‘e’ with ‘3’ – so don’t do that when creating your password, account more secure.
Using the most efficient brute-force algorithm, the researchers were able to crack 59% of 193 million passwords within an hour and nearly three-quarters of all passwords (73%) within a month.
Only 23% of passwords from the Dark Web database would take more than a year to crack.
Discussing their findings, Kaspersky security experts noted: “People unknowingly create ‘human’ passwords – containing dictionary words in their native languages, including names, numbers, etcthings that our busy brains can easily recall.
“Even seemingly strong combinations are rarely completely random, so they can be guessed by algorithms. Because of this, the most reliable solution is to generate a completely random password using modern and reliable password managers.”
Access keys are an increasingly common solution for protecting your accounts without rely on a long alphanumeric password that cannot be remembered. This smart solution uses the security feature built into your smartphone—like Face ID on the iPhone, fingerprint scanners on the Samsung Galaxy, and more—to verify your identity when you log into a website or app.
Support for these password replacements is slowly being adopted by the largest online services and applications, with Elon Musk enables X support for iPhone owners earlier this year with WhatsApp also accepts passkeys so users don’t have to rely on guessable passwords.
Another popular solution is password managers.
These stand-alone apps generate unique passwords without any discernible pattern—and a healthy mix of uppercase and lowercase letters, symbols, numbers, and more. It would be impossible to remember these long, unique mixes of characters each sign in, so password managers encrypt and store them all for you – fill in the fields in apps and on websites for you.
You’ll only need to remember one password: the one unlocked by the password manager.
Password managers like 1Password (pictured) can manage lengthy, unique alphanumeric passwords for each online account and monitor the dark web for breaches and hacks.
1 PASSWORD PRESS OFFICE
Many of these apps also rely on biometrics like fingerprints and face scans to lock everything down.
Apple includes a password manager — known as iCloud Keychain — as part of the mobile operating system that ships with every iPhone, iPad and Mac, while California rival Google has baked a similar system into Chrome. However, the iPhone manufacturer has big plans to overhaul this system with a real competitor like 1Password, NordPass and LastPass in the coming months as part of another free upgrade.
THE LATEST DEVELOPMENT
In recent months we have seen security researchers uncover so-called ‘mother of all breaches’, with billions of stolen usernames and passwords for popular sites like LinkedIn, X (formerly Twitter), Telegram and Dropbox. Not only that, but hackers used credential stuffing to breach half a million Roku accounts and spend money using stored payment information.
whatever you do make sure you do not use the password in this list published by Nord.