Tech
New Security Alert—Hacker Uploads 10 Billion Stolen Passwords To Crime Forum
The world’s largest collection of stolen passwords has been uploaded to an infamous crime marketplace where cybercriminals trade such credentials. A hacker using the name ‘ObamaCare’ has posted a database containing almost 10 billion unique passwords thought to have been collected from numerous data breaches and hacks across many years. Here’s everything you need to know.
What You Need To Know About The RockYou2024 Password Database
Security researchers from Cybernews have uncovered what appears to be the biggest collection of stolen and leaked credentials ever seen on the BreachForums criminal underground forum. Containing an astonishing 9,948,575,739 unique passwords, all in plaintext format, the RockYou2024 compilation comprises an earlier credentials database known as RockYou 2021, which featured 8.4 billion passwords, adding approximately 1.5 billion new passwords into the mix. These cover the period from 2021 through 2024, and it has been estimated that the latest credentials file contains entries from a total of 4,000 huge databases of stolen credentials covering at least two decades.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” the researchers said, adding “revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”
The Brute Force Implications Of RockYou2024
Credential stuffing attacks remain one of the most common and successful methods of gaining initial access to services and systems for criminal and state-sponsored hackers and ransomware affiliates.
Such threat actors could exploit the RockYou2024 password compilation so as to conduct brute-force attacks and “gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the research team said. This could include anything and everything from online services, to internet-facing cameras and even industrial hardware. Combined with other leaked databases on hacker forums and dark web marketplaces, containing email addresses and other credentials, the team concluded, “RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts.”
Security Experts Reveal How Worried You Should Be And What You Need To Do Now
“I know this might sound funny, but what’s an extra 1.5 billion passwords?” Daniel Card, a self-proclaimed Cyber Ninja Warrior and founder of the PwnDefend security consultancy, said. He has a point: once such databases reach a tipping point regarding unique password size, it makes precious little difference how many new ones get added. “When we look at how people create passwords,” Card said, “is that going to change the world? Probably not. I don’t think this changes the threat actors’ capability in any meaningful way.”
Other security experts agree with Card on this. “As much as this composite work is a shock and awe moment when it comes to how terrible the state of identity and access management controls are, and the lack of protection of that information has,” Ian Thornton-Trump, the chief security information officer at threat intelligence agency Cyjax, said, “I think there comes a point where the magnitude of this aggregated data becomes next to useless due to its vast size.” Thornton-Trump admits it’s a bad thing, of course, but what’s really bad is the lack of multi-factor authentication that still exists in organizations across the globe. “Maybe we need to look at regulation that forces MFA for any login on a software-as-a-service platform?” he concludes.
What should you do in response to this huge leak of plaintext password credentials? My advice is to take a good look at yourself and your attitude towards login security. Jake Moore, the global cybersecurity advisor for security vendor ESET, would seem to agree. “There really is no excuse not to use unique passwords for every single account as data breaches unfortunately continue to occur and grow.,” Moore said. “Luckily, password managers are easier than ever to use and implement into daily life. Plus they offer the hard part of password generation and the secure storing of these complex codes,” Moore concludes.
In the meantime, don’t panic overly about RockYou2024. Go about your business while taking as much care as possible regarding password generation, storage and use. Do get a password manager up and running, 1Password and Proton Pass are solid choices, and Apple will introduce a generic password manager app with the forthcoming iOS 18 update. Oh, and start employing MFA wherever you can. Using the Cybernews exposed passwords checker, you can check if any of your passwords are included in this latest RockYou stolen credentials database.