The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.
The king is dead. Long live the king. Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.
While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.
The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.
Password leak checker
Has your password been leaked online? Find out with our password leak checker tool in seconds and take action to protect your data today.Check if your password has been leaked
Credential stuffing attacks can be severely damaging for users and businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.
“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.
Not the first rodeo
The RockYou2024 compilation did not just fall from the sky. Three years ago, Cybernews published a story about the RockYou2021 password compilation, the largest at the time, with 8.4 billion plain text passwords.
According to the team’s analysis of RockYou2024, attackers developed the dataset by scouring the internet for data leaks, adding another 1.5 billion passwords from 2021 through to 2024 and increasing the dataset by 15 percent.
The RockYou2021 compilation, an expansion of a data breach from 2009, included tens of millions of user passwords for social media accounts. Since then, however, the compilation has ballooned exponentially. Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades.
The Cybernews team believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.
“Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the team said.
How to protect against RockYou2024?
While there is no silver bullet to protect users who had their passwords exposed, impacted individuals and organizations should take up mitigation strategies. The Cybernews research team advises to:
- Immediately reset the passwords for all accounts associated with the leaked passwords. It is strongly recommended to select strong, unique passwords that are not reused across multiple platforms
- Enable multi-factor authentication (MFA) wherever possible. This enhances security by requiring additional verification beyond a password
- Utilize password manager software to securely generate and store complex passwords. Password managers mitigate the risk of password reuse across different accounts
Cybernews will include data from RockYou2024 in the Leaked Password Checker, allowing anyone to check if their credentials were exposed via the latest record-holding exposed password compilation.
With RockYou2024, we witnessed a second record-breaking compilation leaked online in 2024. Earlier this year, Cybernews discovered the Mother of all breaches (MOAB), comprising an astounding 12 terabytes of information, spanning over a mind-boggling 26 billion records.