Recently, researchers from Cybernews discovered a file named rockyou2024.txt posted by a forum user named ObamaCare. This file contains nearly 10 billion unique plaintext passwords, resulting in the largest password leak in history and posing a severe threat to users who reuse passwords.
10 Billion Passwords Leaked, Posing Serious Threats
The research team cross-referenced the passwords from the RockYou2024 leak with data from Cybernews’ leak checker and found that these passwords are a mix from various old and new data breaches.
The RockYou2024 leak has compiled real passwords used by individuals worldwide, significantly increasing the risk of credential stuffing attacks. Cybercriminals can use the RockYou2024 password compilation for brute-force attacks and gain unauthorized access to various online accounts using the passwords found in the dataset.
Credential stuffing attacks can cause significant harm to both users and businesses. For instance, recent attacks on companies like Santander, Ticketmaster, Advance Auto Parts, and QuoteWizard were direct results of credential stuffing attacks on victims’ cloud service providers, such as Snowflake.
Multiple Threats: Brute-force Attacks, Data Leaks, Financial Fraud, and Identity Theft
The Cybernews team believes that attackers can use the RockYou2024 compilation to target any system not protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.
Furthermore, combining RockYou2024 with other leaked databases on hacker forums and markets, such as those containing user emails and other credentials, can lead to a series of data breaches, financial fraud, and identity theft.
How to Defend Against This Password Leak?
Although there are no effective measures to protect users already affected by the leak, impacted individuals and organizations can take mitigation steps such as:
• Immediately reset all passwords associated with the leaked passwords, using different passwords for different platforms.
• Enable Multi-Factor Authentication (MFA), such as additional phone verification, fingerprint verification, and other security measures.
• Use password manager software to securely generate and store complex passwords, reducing the risk of password reuse across different accounts.
The password leak also highlights the need for businesses and organizations to not only deploy security measures like firewalls, intrusion detection systems, and SSL certificates but also to enhance account security management. Implementing MFA and other security practices can help mitigate the risks associated with password leaks and contribute to overall data and network security.