Cybernews researchers have uncovered what is likely the largest password compilation to date, containing 9,948,575,739 or nearly 10 billion plaintext passwords. This dataset, titled rockyou2024.txt, was posted on July 4th by a prominent hacking forum user known as ObamaCare.
Upon analysis, Cybernews cross-referenced the passwords included in the RockYou2024 leak with data from its Leaked Password Checker. The findings revealed that the compilation is a mix of passwords from both old and new data breaches.
RockYou2024 leak is a compilation of real-world passwords used by individuals. Revealing this many passwords to threat actors heightens the risk of credential stuffing attacks, Cybernews researchers stated.
Implications of the Leak
Credential stuffing attacks, which use lists of breached username and password pairs to gain unauthorized access, pose severe risks to both users and businesses. Recent attacks targeting companies like Santander and Ticketmaster were attributed to credential stuffing against their cloud service provider, Snowflake.
Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset.
The ten-billion-strong RockYou2024 compilation could target any system unprotected against brute-force attacks, including online and offline services, internet-facing cameras, and industrial hardware.
“Moreover, combined with other leaked databases containing user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the team added.
This discovery follows a similar incident three years ago, where Cybernews reported on the RockYou2021 password compilation, which contained 8.4 billion plaintext passwords. The latest iteration has expanded by adding another 1.5 billion passwords, reflecting data collected from over 4,000 databases spanning more than two decades.
Cybernews has integrated data from RockYou2024 into their Leaked Password Checker, allowing individuals to verify if their credentials were exposed in this unprecedented leak.
