Last month on July 4, a newly registered user on a popular hacking forum posted a file that contained nearly 10 billion compromised passwords, an event that cybersecurity officials are calling the biggest password leak in internet history. This is the second record-breaking leak that has happened just in 2024. The leak was first noticed by researchers at CyberNews, who believe that this incident could pose a severe risk to users, especially those who use the same password for multiple accounts. The file was titled “rockyou2024.txt” and was posted on the forum by a user with the username “ObamaCare” who registered in late May 2024. In the short time since the user registered before the RockYou2024 leak, they also leaked employee database information from law firm Simmons & Simmons, a lead from online casino AskGamblers, and student applications for Rowan College at Burlington County.
The compilation of passwords in the file came from a mixture of old and new data leaks, according to cross-referencing done by the CyberNews team using their Leaked Password Checker. The file contains real passwords used by individuals all over the world. Because of the massive amount of data this file contains, CyberNews researchers warned that the public is currently at higher risk of experiencing “credential stuffing attacks.” Credential stuffing attacks occur when hackers use credentials obtained from a data breach on one service to attempt to log in to various accounts on other services. For example, an attacker may try to use credentials obtained from a data breach of a hospital to log in to the website of a bank. If you are someone who uses the same usernames and passwords for multiple accounts, you may be particularly vulnerable to this type of attack.
This type of data leak, although bigger, is not new. In 2021, CyberNews discovered a leak named RockYou2021 which contained nearly 8.4 billion passwords, making it the largest at the time. It is suspected that the hackers involved in the RockYou2024 leak scoured the internet to find and add new leaks to this old list, adding almost 1.5 billion passwords. It is estimated that the RockYou2024 list contains passwords collected from over 4,000 databases over the course of about 20 years. Any system that isn’t protected against brute-force/credential stuffing attacks will be particularly vulnerable after this leak. If combined with other leaks which might contain other credentials like email addresses, we could begin to see an increase in future data breaches, financial frauds, and identity thefts.
It is important to protect yourself from cyberattacks, especially after major leaks like the RockYou2024 leak occur. At this time, it would be wise to reset the passwords to your accounts and make them each strong and unique if possible. You should also consider enabling two-factor/multi-factor authentication on your accounts so that they can provide an extra barrier between a hacker and your account. Additionally, there are password management software programs out there that can help you generate and securely store passwords. You can check if your credentials were exposed in this particular leak with CyberNews’ Leaked Password Checker.
Read our previous post here: What Happened with CrowdStrike? Will it Affect Me?
