close
close

New security alert – Hacker uploads 10 billion stolen passwords to a crime forum

The world’s largest collection of stolen passwords has been uploaded to a notorious crime marketplace where cybercriminals trade such credentials. A hacker going by the name “ObamaCare” has released a database of nearly 10 billion unique passwords, believed to have been collected over many years through numerous data leaks and hacks. Here’s everything you need to know.

What you need to know about the RockYou2024 password database

Security researchers at Cybernews have discovered the largest collection of stolen and leaked credentials ever seen on the underground criminal forum BreachForums. The RockYou2024 compilation contains a staggering 9,948,575,739 unique passwords, all in plaintext format. It builds on a previous credential database called RockYou 2021, which contained 8.4 billion passwords, and adds about 1.5 billion new passwords to the mix. These cover the period from 2021 to 2024, and it is estimated that the latest credential file contains entries from a total of 4,000 massive databases of stolen credentials, covering at least two decades.

“Essentially, the RockYou2024 leak is a compilation of real-world passwords used by individuals around the world,” the researchers said, adding, “showing that for threat actors, having many passwords significantly increases the risk of credential stuffing attacks.”

ForbesIntelligent guessing algorithm cracks 87 million passwords in less than 60 seconds

The Brute Force Impact of RockYou2024

Credential stuffing attacks remain one of the most common and successful methods used by criminal and state-sponsored hackers and ransomware affiliates to gain initial access to services and systems.

Such threat actors could exploit the RockYou2024 password collection to conduct brute-force attacks and “gain unauthorized access to various online accounts used by individuals using passwords included in the dataset,” the research team said. This could include anything from online services to internet-connected cameras to industrial hardware. Combined with other leaked databases on hacker forums and darknet marketplaces containing email addresses and other credentials, the team concluded, “RockYou2024 can contribute to a cascade of data leaks, financial fraud, and identity theft.”

Security experts reveal how worried you should be and what you need to do now

“I know this might sound weird, but what’s 1.5 billion extra passwords?” asked Daniel Card, a self-proclaimed Cyber ​​Ninja Warrior and founder of security consultancy PwnDefend. And he’s right: Once such databases reach a tipping point in terms of the length of unique passwords, it makes little difference how many new ones are added. “If we look at how people create passwords,” Card said, “is this going to change the world? Probably not. I don’t think it changes the capabilities of threat actors in any meaningful way.”

ForbesGoogle Chrome for Android users are alerted to the “No 2FA” password issue

Other security experts agree with Card on this point. “As much as this compilation is a shock and a moment of awe, given how terrible the state of identity and access management controls is and how little protection this information offers,” said Ian Thornton-Trump, chief security information officer at threat intelligence agency Cyjax, “I think there comes a point where the amount of this aggregated data becomes almost useless due to its enormous size.” Thornton-Trump of course admits this is a bad thing, but what’s really bad is the lack of multi-factor authentication that still exists in organizations around the world. “Maybe we need to look at a regulation that enforces MFA for every login on a software-as-a-service platform?” he concludes.

What should you do in response to this huge leak of plaintext passwords? My advice is to take a hard look at yourself and your attitude towards login security. Jake Moore, global cybersecurity advisor at security vendor ESET, seems to agree. “There really is no excuse not to use unique passwords for each and every account, as data breaches unfortunately continue to occur and are on the rise,” Moore said. “Fortunately, password managers are easier than ever to use and implement in daily life. They also take care of the hard part of password generation and storing these complex codes securely,” Moore concluded.

In the meantime, don’t panic too much about RockYou2024. Go about your business while being as cautious as possible about password generation, storage, and use. Install a password manager. 1Password and Proton Pass are good options, and Apple will introduce a generic password manager app with the upcoming iOS 18 update. Oh, and deploy MFA wherever you can. You can use Cybernews’ Exposed Password Checker to check if any of your passwords are included in this latest RockYou database of stolen credentials.