Published on: July 12, 2024
A hacker has exposed nearly 10 billion passwords in what is being called the largest leak of its kind.
The user “ObamaCare” shared a file containing 9,948,575,739 unique plaintext passwords to a popular hacking forum. The massive data file, named “rockyou2024.txt” was posted on the hacking site on July 4.
However, the 10 billion passwords aren’t all new. Many of the RockYou2024 passwords have already been leaked in previous data breaches.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers at Cybernews said.
Credential stuffing is a type of cyber attack where attackers use automated tools to try large numbers of username and password combinations, typically obtained from previous data breaches, to gain unauthorized access to user accounts. This attack exploits the fact that many people reuse the same passwords across multiple sites, allowing hackers to use the stolen credentials to break into various accounts.
According to their analysis, 1.5 billion of the 10 billion passwords included in the file are new passwords leaked between 2021 and 2024.
“The big moral of the story is this needs to be a wake up call that no matter what a great job you do keeping yourself safe, someone’s going to lose your user name and password,” said Scott Augenbaum, a retired FBI agent and cybercrime prevention trainer.
This isn’t the first RockYou data dump; the name has been linked to several large-scale password leaks since 2009.
The RockYou2024 password compilation is a result of extensive efforts by attackers over several years. For example,last month, a text file named “rockyou2021.txt” was posted online. This 100GB file contained 8.4 billion passwords, making it the largest password dump ever at that time.
Since then, attackers have been actively scouring the internet for new data leaks, and managed to increase the dataset by 15 percent, demonstrating a continued effort to aggregate massive amounts of password data from various sources.
The user behind RockYou2024 has been responsible for multiple data dumps since creating their account in May. They have previously shared an employee database from the law firm Simmons & Simmons, a lead database from the online casino AskGamblers, and student applications for Rowan College at Burlington County in New Jersey.
