10 Billion Passwords Leaked on Hacking Forum

Written by

Nearly 10 billion unique passwords have been leaked on a cybercrime forum, putting online users across the world at risk of account compromise, according to a Cybernews investigation.

The researchers discovered the leak of 9.94 million plaintext passwords, described as the largest password compilation of all time, which was posted on a popular hacking forum by a user named ‘ObamaCare’ on July 4.

This user, which only registered for the forum in late May 2024, has already previously shared sensitive information accessed from breaches.

The file containing the data is titled ‘rockyou2024’ and contains passwords from a mix of old and new data breaches.

The attackers have essentially expanded a previous password compilation from 2021, titled RockYou2021, built from online data leaks.

The RockYou2021 file, also discovered by Cybernews, contained 8.4 billion passwords. The new dataset expands this list with another 1.5 billion passwords added from 2021-2024, an increase of 15%.

The researchers believe the latest RockYou iteration contains information collected from over 4000 databases over more than two decades.

In January 2024, Cybernews discovered a 12TB database of 26 billion records exposed online from previous breaches.

Internet Users at Risk of Credential Stuffing Attacks

The researchers warned that the publicly available compilation puts affected users at risk of brute-force attacks, such as credential stuffing.

“Combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds and identity thefts,” the researchers said.

In October 2023, DNA testing firm 23andMe was hit by a credential stuffing campaign that impacted almost 7 million users. The company subsequently accused certain users of “negligently” recycling and failing to update their passwords.

Experts criticized 23andMe’s stance, pointing out it should have made multi-factor authentication (MFA) compulsory for all user accounts.

Read here: Five Ways to Dramatically Reduce the Risk of Password Compromise

What’s hot on Infosecurity Magazine?