Almost 10 billion passwords leaked in biggest password leak in history
Almost 10 billion passwords have been leaked in what some are calling the biggest password leak in history.
The leak was first discovered by researchers at Cybernews, who said the file containing the data, called rockyou2024.txt, was posted online on a popular hacking forum on July 4.
The password compilation was posted by someone with the username ObamaCare, whom Cybernews said had previously leaked confidential data online.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.This includes an employee database from the international law firm Simmons & Simmons as well as student applications for a university in New Jersey.
Cybernews said the leak appeared to be the largest of its kind.
The leaked passwords came from a mix of old and new data breaches, building on a compilation of 8.4 billion passwords leaked in 2021.
It was aptly named RockYou2021.
“Attackers developed the dataset by scouring the internet for data leaks, adding another 1.5 billion passwords from 2021 through to 2024 and increasing the dataset by 15 per cent,” Cybernews said.
The RockYou2021 itself was an expansion of a data breach from 2009 which included millions of passwords for social media accounts.
“Most likely, the latest RockYou iteration contains information collected from over 4,000 databases over more than two decades,” Cybernews said.
Its researchers believe the passwords may be used to target not only online platforms, but also internet-facing cameras and industrial hardware.
The sheer number of passwords that have been exposed could result in a “cascade of data breaches, financial frauds, and identity thefts”.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” Cybernews researchers said.
“Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”
Those who want to check if they have been impacted by the leak can use Cybernews’ Leaked Password Checker.
Computer security software company McAfee said users worried about the leak can take a number of steps to protect themselves from potential fraud or identify theft.
These include:
- Updating your password on all your accounts to a strong and unique password. McAfee recommends using a password manager to securely store them
- Enabling Two-Factor Authentication
- Monitor bank statements and credit card statements for any suspicious and unauthorised transactions
- Stay vigilant about phishing emails, calls, or texts. Hackers use these methods to trick people into revealing sensitive information
