X

Massive RockYou2024 leak exposes 10 billion passwords

Pictured: Sumit Adhikari
By Sumit Adhikari
July 08, 2024
Featured image for Massive RockYou2024 leak exposes 10 billion passwords

You might want to change all of your passwords right away. A massive leak has exposed nearly ten billion unique plaintext passwords, leaving us all vulnerable to credential stuffing attacks. The so-called RockYou2024 leak appears to be the largest password compilation yet, surpassing 2021’s RockYou2021 with over 8.4 billion unique passwords.

Nearly ten billion passwords exposed in a massive leak

RockYou2024 is a compilation of passwords collected from old and new data breaches. Posted on a popular hacking forum by a member with the username ObamaCare, it contains a staggering 9,948,575,739 unique passwords. According to the user, they built this compilation upon RockYou2021, i.e., they added more passwords from newer data breaches to the 2021 compilation. They also claim to have cracked some old passwords.

While the user joined the forum in late May 2024, they already have a strong history of sharing leaked databases. According to Cybernews, ObamaCare previously shared “an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.” The user may have added passwords they potentially obtained from these breaches to RockYou2024.

The publication cross-checked the latest password dump with data from their Leaked Password Checker tool. It confirmed that the latest leak contains passwords from a mix of old and new data breaches. The sheer volume of unique passwords shared online poses a significant security risk to internet users around the world, Cybernews researchers explained. Threat actors could use these passwords for credential stuffing attacks.

RockYou2024 massive ten billion password leak

In these types of attacks, threat actors employ automated systems to feed the leaked credentials to apps and websites on a large scale. If credentials match, they may gain unauthorized access to your account unless you have enabled additional security measures such as 2FA (two-factor authentication). Some online systems are protected against brute-force attacks, but you can never go wrong with 2FA. It can block unauthorized access.

Avoid reusing the same password

This leak is another reminder that you should enable 2FA and avoid reusing the same password. If you use a password across multiple accounts, a breach on any system potentially compromises all of your accounts. You may use a Password Manager to create strong and unique passwords for each account and store them safely. Cybernews plans to include data from RockYou2024 in its Leaked Password Checker. The tool lets you check if a data breach exposed your emails, phone numbers, or passwords.