Largest password data breach ever recorded confirmed
The world’s largest collection of stolen passwords has been uploaded to an infamous criminal marketplace where cybercriminals sell these credentials. A hacker using the name “ObamaCare” has released a database containing nearly 10 billion unique passwords that were allegedly collected from numerous data breaches and hacks over many years. Here’s everything you need to know.
What You Need to Know About the RockYou2024 Password Database
Cybernews security researchers have discovered what appears to be the largest collection of stolen and leaked credentials never before seen on the underground criminal forum BreachForums. Containing an astonishing 9,948,575,739 unique passwords, all in plain text format, the RockYou2024 compilation includes an earlier credential database known as RockYou 2021, which included 8.4 billion passwords, adding an estimated 1.5 billion new passwords to the mix. These span the period from 2021 to 2024, and it has been estimated that the latest credential file contains entries from a total of 4,000 massive databases of stolen credentials spanning at least two decades.
“At its core, the RockYou2024 leak is a compilation of real-world passwords used by individuals around the world,” the researchers said, adding, “revealing that multiple passwords for threat actors significantly increase the risk of credential stuffing attacks.”
The implications of RockYou2024’s brute force
Credential theft attacks remain one of the most common and effective methods for gaining initial access to services and systems by criminal and state-sponsored hackers and ransomware affiliates.
The attackers could exploit the RockYou2024 password collection to conduct brute-force attacks and “gain unauthorized access to various online accounts used by individuals using passwords included in the dataset,” the research team said. This could include anything from online services to internet-connected cameras and even industrial hardware. By combining this data with other databases leaked on hacker forums and dark web marketplaces containing email addresses and other identifying information, the team concluded that “RockYou2024 could contribute to a cascade of data breaches, financial fraud, and identity theft.”
Security experts reveal how worried you should be and what you should do now
“I know this sounds funny, but what’s 1.5 billion more passwords?” said Daniel Card, a self-proclaimed cyber ninja warrior and founder of security consultancy PwnDefend. He’s right: Once these databases reach a tipping point in the size of unique passwords, the number of new passwords added doesn’t matter much. “When we look at how people create passwords,” Card said, “is this going to change the world? Probably not. I don’t think it changes the capabilities of threat actors in any meaningful way.”
Other security experts agree with Card on this point. “While this composite work is a shock and a moment of horror given the dismal state of identity and access management controls and the lack of protection of this information,” said Ian Thornton-Trump, chief information security officer at threat intelligence agency Cyjax, “I think there comes a point where the magnitude of this aggregated data becomes almost irrelevant because of its sheer size.” Thornton-Trump admits that’s a bad thing, of course, but what’s really bad is the lack of multi-factor authentication that still exists in organizations around the world. “Maybe we should be looking at regulations that would mandate multi-factor authentication for any login on a SaaS platform?” he concludes.
What to do about this massive leak of plaintext passwords? I advise you to take a good look at yourself and your attitude towards login security. Jake Moore, global cybersecurity advisor for security vendor ESET, seems to agree. “There is really no excuse not to use unique passwords for each account, as data breaches unfortunately continue to occur and multiply,” Moore said. “Fortunately, password managers are easier than ever to use and implement in everyday life. Plus, they take the hard part out of generating passwords and securely storing those complex codes,” Moore concluded.
Check Your Passwords to Avoid Exposure Using Cybernews Tool
In the meantime, don’t panic too much about RockYou2024. Go about your business, taking as many precautions as possible about generating, storing, and using passwords. Install a password manager—1Password and Proton Pass are good choices—and Apple will introduce a generic password manager app with the upcoming iOS 18 update. Oh, and start using multi-factor authentication wherever you can. password checker exposedyou can check if any of your passwords are included in this latest RockYou stolen credentials database.