Home ‘Largest password leak ever’ exposes 10 billion credentials

‘Largest password leak ever’ exposes 10 billion credentials

tl;dr

  • Researchers found 9.9 billion passwords in the leaked rockyou2024.txt file on a hacking forum.
  • The file includes old and new data, posing significant risks for credential stuffing attacks.
  • Users should reset shared passwords, enable 2FA, and use a password manager for security.

The “largest password compilation” with approximately 10 billion unique passwords has been leaked on a popular hacking forum, presenting significant risks for users who reuse passwords.

Researchers at Cybernews uncovered a file named rockyou2024.txt, containing 9,948,575,739 unique plaintext passwords. This file was posted by a forum user known as ObamaCare, who only recently joined the forum but has been active in sharing data from various breaches.

The file is described by researchers as a mixture of old and new data breaches, pointing out that it does not represent a single new breach involving 10 billion passwords. They explained that the RockYou2024 leak includes passwords that are commonly used by people worldwide, thereby significantly increasing the risk of credential stuffing attacks where attackers use stolen passwords to attempt access to unrelated services.

For example, someone might use a password obtained from the Frontier Communications breach to see if you use the same password for your bank account.

The researchers elaborated on potential threats, stating, “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts.”

RockYou2021 data breach

They also showed that this compilation is an evolved form of a previous leak named RockYou2021, which had 8.4 billion passwords and originated from a 2009 data breach but had expanded significantly by 2021.

The team analyzed that attackers likely built the RockYou2024 dataset by collecting additional passwords from subsequent leaks, increasing the total by 15 per cent over three years. This compilation now includes data possibly accumulated from over 4,000 databases spanning more than two decades.

The team also warned that the extensive RockYou2024 compilation could be used to target any system vulnerable to brute-force attacks, ranging from online services to industrial hardware.

They also noted the compounding threat posed when this data is combined with other leaked information, such as user email addresses from other databases, which can lead to widespread financial fraud and identity theft.

What should users do?

Data security isn’t always within our control, especially in the face of constant data breaches. It’s important for users to take proactive steps and remain vigilant to prevent cybercriminal attacks.

Here are a few measures users can implement:

  • Reset passwords for any accounts sharing the same credentials (email and password)
  • Enable two-factor authentication (2FA) and multi-factor authentication (MFA) on all accounts to introduce an additional layer of security
  • Use a password manager to create and manage secure, complex, and unique passwords for different accounts effortlessly.

Featured image: Canva

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech, gambling and blockchain industries for major developments, new product and brand launches, AI breakthroughs, game releases and other newsworthy events. Editors assign relevant stories to in-house staff writers with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Suswati Basu
Tech journalist

Suswati Basu is a multilingual, award-winning editor and the founder of the intersectional literature channel, How To Be Books. She was shortlisted for the Guardian Mary Stott Prize and longlisted for the Guardian International Development Journalism Award. With 18 years of experience in the media industry, Suswati has held significant roles such as head of audience and deputy editor for NationalWorld news, digital editor for Channel 4 News and ITV News. She has also contributed to the Guardian and received training at the BBC As an audience, trends, and SEO specialist, she has participated in panel events alongside Google. Her…

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.