Nearly 10 billion unique plaintext passwords were leaked to a popular hacking forum on the Fourth of July. The list has earned the fitting moniker “RockYou2024” from its filename, “rockyou.txt.” The file is essentially a compilation of passwords that were gathered by a forum user known only as “ObamaCare,” and it contained passwords that came from old and new data breaches.
As a result many may have already been changed, yet researchers warn that it could still be a treasure trove for bad actors.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers at Cybernews explained. “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset.”
This is also the second time such a compilation of passwords has made the rounds on the dark web. RockYou2021, which appeared three years ago – and was the largest illicit database of passwords at the time – consisted of around 8.4 billion. This new leak is an updated and enlarged list of passwords.
The number of passwords is significant, but researchers have also suggested that size shouldn’t be employed to gauge the seriousness of this leak.
“While the RockYou2024 leak is massive, it’s not unprecedented given the recent MOAB (Mother of All Breaches) leak,” said Ted Miracco, CEO of mobile security provider Approov.
“However, it reinforces a critical lesson: password protection alone is woefully inadequate in today’s threat landscape, especially for APIs and mobile apps,” Miracco told ClearanceJobs. “Leaks like these can expose financial and healthcare data that can be utilized for identity theft, financial fraud, blackmail, or other forms of exploitation.
How Significant Is the Damage?
The greatest threat could be to those who use the same or even similar passwords on multiple devices and multiple websites and apps. It therefore serves as a reminder to use unique passwords and to change them frequently.
“The biggest significance of this leak is to serve as a reminder that the security of something you think is private – a password – is a shared responsibility between you and the technology vendor. To the best of your ability use longer passwords, don’t use the same password with different services, and periodically review and delete unused accounts,” suggested Evan Dornbush, former NSA cybersecurity expert.
The actual utility for hackers thus far is likely minimal Dornbush told ClearanceJobs. But that doesn’t mean that the threat should be ignored – which a lot of users likely did three years ago!
“The magic of the original ‘rockyou’ was in that it created a list of common passwords for attackers to try,” added Dornbush. “This list shows that those common passwords are still common. It also shows that hard to crack passwords are still for many, hard to crack.”
More to Come?
The biggest takeaway from this leak is that we need yet another reminder that not enough is likely being done to protect our digital footprints. This is something that needs to be done at all levels, by the various platforms and users alike.
“It’s crucial for companies to implement more robust API security measures to protect this sensitive data, and for users to be cautious about reusing passwords and failing to implement MFA and other advanced security measures,” said Miracco.
“It’s crucial to emphasize that many devices, especially in the Internet of Things (IoT) ecosystem, are woefully unprepared for the onslaught of credential stuffing attacks this leak enables. Smart cameras, thermostats, door locks, and other connected devices often lack robust security features,” Miracco continued. “The sheer volume of credentials exposed means that even if only a small percentage (of passwords) are current and valid, millions of devices could be compromised.”
Moreover, this leak isn’t just a threat to personal accounts, as all it takes is one weak link for a network to be compromised.
“We should expect both sophisticated nation-state actors and individual hackers to exploit these vulnerabilities aggressively,” warned Miracco. “Nation-states might use this data for large-scale surveillance or as part of broader cyber warfare strategies. Individual hackers could target everything from home security cameras to smart city infrastructure.”
