The database of the largest password leak ever is confirmed
The world’s largest collection of stolen passwords has been uploaded to a notorious crime marketplace where cybercriminals trade such credentials. A hacker using the name ‘ObamaCare’ has posted a database containing almost 10 billion unique passwords believed to have been collected from numerous data breaches and hacks over many years. Here is everything you need to know.
What you need to know about RockYou2024 password database
Security researchers from Cybernews have discovered what appears to be the largest collection of stolen and leaked credentials ever found on the underground criminal forum BreachForums. Containing 9,948,575,739 unique passwords, all in plain text format, the RockYou2024 compilation includes an earlier credential database known as RockYou 2021, which contained 8.4 billion passwords, adding about 1.5 billion new passwords to the mix. These cover the period from 2021 to 2024, and it is estimated that the latest credentials file contains entries from a total of 4,000 large databases of stolen credentials spanning at least two decades.
“Essentially, the RockYou2024 leak is a compilation of real-world passwords used by individuals around the world,” the researchers said, adding “revealing that too many passwords for threat actors significantly increases the risk of credential stuffing attacks.” .
Brute Force Implications of RockYou2024
Credential stuffing attacks remain one of the most common and successful methods of gaining initial access to services and systems for criminal and state-sponsored hackers and ransomware affiliates.
Such threat actors can exploit RockYou2024’s password compilation in order to perform brute-force attacks and “gain unauthorized access to various online accounts used by individuals using passwords included in the dataset,” said the research team. This can include anything and everything from web services to web facing cameras and even industrial equipment. Combined with other databases discovered on hacker forums and dark web markets, containing email addresses and other credentials, the team concluded, “RockYou2024 could contribute to a cascade of data breaches, financial fraud and identity theft”.
Security experts reveal how worried you should be and what you should do now
“I know this may sound ridiculous, but what are 1.5 billion extra passwords?” Daniel Card, a self-proclaimed Cyber Ninja Warrior and founder of security consultancy PwnDefend, said. He has a point: once such databases reach a tipping point with respect to unique password size, it makes little difference how many new ones are added. “When we look at how people create passwords,” Card said, “is that going to change the world? Certainly not. I don’t think it changes the ability of threat actors in any meaningful way.”
Other security experts agree with Card on this. “As far as this composite work is concerned, it’s a shocking and appalling moment when it comes to how terrible the state of identity and access management controls is, and the lack of protection of that information,” Ian Thornton-Trump, the official main security information. at threat intelligence agency Cyjax, said, “I think there comes a point where the size of this aggregated data becomes almost useless because of its sheer size.” Thornton-Trump admits it’s a bad thing, of course, but what’s really bad is the lack of multi-factor authentication that still exists in organizations across the globe. “Perhaps we should look at the regulation that binds the MFA for any entry into a software-as-a-service platform?” he concludes.
What should you do in response to this massive leak of plaintext password credentials? My advice is to take a hard look at yourself and your approach to login security. Jake Moore, global cybersecurity advisor for security vendor ESET, seems to agree. “There really is no excuse not to use unique passwords for every single account as data breaches unfortunately continue to happen and grow,” said Moore. “Fortunately, password managers are easier than ever to use and implement in everyday life. Plus, they provide the hard part of generating passwords and securely storing these complex codes,” Moore concludes.
Check your passwords for exposure using the Cybernews tool
In the meantime, don’t panic too much about RockYou2024. Go about your business taking as much care as possible about generating, storing, and using passwords. Set up a password manager, 1Password and Proton Pass are solid choices, and Apple will introduce a generic password manager app with the upcoming iOS 18 update. Oh, and start hiring MFA wherever you can. Using Cybernews’ Exposed Password Checker, you can check if any of your passwords were included in this latest database of stolen RockYou credentials.