10 billion passwords leaked in the largest compilation of all time

Spyxos

Spyxos

Member
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.


Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews' Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.

"In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said.

"Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset," the team explained.

rockyou2024-post.png


 
Last edited:
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.
 
MudoSkills said:
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.
Click to expand...

Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
 
They need to be executed IRL. Death penalty to hackers (if the governments don't need them after they're caught). Fuck hackers and criminals in general. World is far too weak on crime.
 
Last edited:
I have a few I know have been compromised but I just don't care as I never use those things anymore and can't bothered to change my password on a local burrito shop app.
 
I feel somewhat safe despite this news because I've turned on passkey for all my accounts that offer it and seeing as I used to use lastpass, I had to reset everything because of their own breach not long ago.
 
AV said:
Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
Click to expand...
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.
 
Golgo 13 said:
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.
Click to expand...

If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
 
In addition to 2FA as others have mentioned, you should have a password manager with a built-in password generator - and be using it for every site you sign up for. We have the technology to not have to remember (let alone reuse) passwords in 2024. Don't be a sucker.
 
Probably not updated with this new event, but always worth checking regardless.

haveibeenpwned.com

Have I Been Pwned: Check if your email has been compromised in a data breach

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
haveibeenpwned.com haveibeenpwned.com

It's a site that you can use to search for your email to see if it's been compromised in any number of hacks/leaks/breaches/etc.
 
Last edited:
This podcast explains clearly what hackers can do with a list of passwords that big. Statistical priorities and probabilities will be honed with a 10 billion sample set.

darknetdiaries.com

RockYou – Darknet Diaries

In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even today.
darknetdiaries.com darknetdiaries.com
 
LavitzSlambert said:
If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
Click to expand...
Read something today in the SysAdmin Reddit about how phishing attempts are now focused on capturing O365 Authentication tokens via proxy, which can be re-used to authenticate via even Authentication apps, bypassing 2FA.
 
You must log in or register to reply here.

Similar threads

Most aesthetically pleasing computer of all time?
Opinion  2
84
3K
The Lunch Legend replied
Disney has remastered one of the greatest action movies of all time in full 4K: Con Air!
46
2K
genesisblock replied
Alexander Ovechkin Breaks Wayne Gretzky's All-Time Record For Most Goals In NHL History
25
780
StreetsofBeige replied
Walmart is not the Proud owner of VIZIO 2.3 Billion
11
1K
Avid Reading Horse replied
Youtube made 10.4 Billions in the last quarter from ads
2
89
4K
winjer replied
Top Bottom