image

The biggest password leak ever: nearly 10 billion credentials exposed

Cybersecurity researchers are calling it the largest password compilation leak of all time.

On July 4, a newly registered user on a popular hacking forum posted a file containing nearly 10 billion compromised passwords in plaintext. The post was first noticed by researchers at Cybernews.

RockYou2024 leaked password compilation

This gigantic list of leaked passwords known as RockYou2024 provides hackers with an important tool that can be utilized in a brute force attack. 

A brute force attack is a popular hacking method where the attacker guesses a user's password by trial-and-error. Hackers commonly use automated scripts when carrying out a brute force attack, which enables them to try out a slew of passwords within a short period of time. With a leaked password database this big, hackers have a nearly unlimited pool of passwords to try out. 

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world," writes Cybernews' researchers. "Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks."

As Cybernews researchers point out, this list may very well be the largest password leak ever, beating the previous record holder known as RockYou2021, which had around 8.4 billion passwords.

In fact, the hacker forum user "ObamaCare" claims they used that older list and updated it with newer password leak data from over the past three years. As a result, 1.5 billion more passwords have been added to the previous compilation to create RockYou2024.

"I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years," wrote the hacker forum user while adding that they also included recent compromised passwords that they recently obtained themself.

The RockYou2024 leaked password list is new, so at the time of this writing, it's unclear if any private data has been compromised as a direct result of this compilation.

Anyone signed up to any service online should assume that a password that they use is on this list. Cybersecurity researchers recommend that users update their passwords and enable multi-factor authentication wherever possible.