The world’s largest compilation of passwords to be leaked online has been discovered by the Cybernews research team, containing 9,948,575,739 unique entries in plaintext. The credentials were discovered in a file named “rockyou2024.txt” that was posted on a popular hacking forum on July 4, 2024.
Many of the so-called RockYou2024 passwords have already been leaked in previous data breaches. This isn’t the first RockYou data dump either, as the name has been linked to a number of large-scale password breaches since 2009.
Posting user RockYou2024, who has the username “ObamaCare,” has been responsible for several data dumps since creating his account in May 2024. He shared a database of employees at the law firm Simmons & Simmons, the head of online casino AskGamblers, and an application student at Rowan College in Burlington County, New Jersey.
RockYou is a defunct social app site, and in 2009 more than 32 million of its users’ account details were exposed after a hacker got hold of the plain text file where they were stored. Another text file named “rockyou2021.txt” was released in June 2021. This 100GB file contained 8.4 billion passwords, making it the largest password dump ever.
How this password leak increases the risk of credential stuffing attacks
The Cybernews team believes that RockYou2024 has all the passwords from RockYou2021 plus an additional 1.5 billion new passwords. In total, the file contains information from more than 4,000 databases.
“At its core, the RockYou2024 leak is a compilation of real-world passwords used by individuals around the world,” the researchers said. “Discovering that many passwords for threat actors substantially increases the risk of credential stuffing attacks.”
Credential stuffing attacks, where attackers use automated tools to try stolen username/password pairs on different sites to test whether credentials have been reused, are fairly common.
DOWNLOAD: Best practices for creating and saving passwords from TechRepublic Premium
In June 2024, a threat actor managed to gain access to the Snowflake cloud data platform through a successful credential stuffing attack and was able to extract data from 165 of their clients.
In November 2023, hackers were able to steal the personal and genetic information of 6.9 million people from 23andMe after using stolen account sessions and legitimate credentials. The company blamed its users for the breach, saying they “negligently recycled” their data in a letter obtained by TechCrunch.
RockYou2024 could offer threat actors a new source of passwords to try credential stuffing attacks to gain unauthorized access to individuals’ online accounts. These accounts can be for online and offline services, IoT cameras and industrial hardware.
“Combined with other leaked databases on hacking forums and marketplaces, which for example contain user email addresses and other login information, RockYou2024 can contribute to a cascade of data breaches, financial fraud and identity theft,” the Cybenews team said.
Advice for mitigating the risk of credential stuffing attacks
Jake Moore, global cybersecurity advisor at security firm ESET, told TechRepublic, “User credentials are constantly being captured in data breaches and ultimately collected and stored in large databases on the dark web.
“That’s why there’s no excuse these days not to use a unique password for every account – especially as data breaches continue to increase. Criminals can misuse known credentials on multiple accounts, and many people using the same password on different sites are at risk of being exposed.
“Fortunately, passwords and password managers are now easier to use and integrate into everyday life. They handle the difficult task of generating and securely storing complex passwords and other codes so that we don’t have to remember them. Plus, this combined with multi-factor authentication for all accounts increases security and helps better protect people’s accounts.”
SEE: 8 Best Enterprise Password Managers for 2024
Tips for anyone affected by the RockYou2024 breach
Cybernews researchers have issued a number of recommendations for individuals and organizations affected by the RockYou2024 breach. These are:
- Immediately reset any passwords that appeared in the data breach. Ideally, new passwords should be strong and unique to their account.
- Enable multi-factor authentication.
- Use password management software that generates and stores complex passwords that are unique to each account.