Researchers claim they have discovered the largest password cache ever, containing 9,948,575,739 unique plaintext passwords.
The file, named ‘rockyou2024.txt’, contains passwords stolen in a combination of old and new attacks, making it a dream for brute force attackers.
“In essence, the RockYou2024 leak is a compilation of real passwords used by individuals around the world. Revealing that many passwords are shared by threat actors significantly increases the risk of credential stuffing attacks,” Cyber News say researchers.
Treasure trove of brute force and credential stuffing
The .txt file was posted on July 4 by a user with the username “ObamaCare,” who has been sharing leaked passwords from various sources since registering in May 2024.
Speaking about the potential dangers of the password leak, the research team said: “Threat actors could abuse the RockYou2024 password compilation to perform brute-force attacks and gain unauthorized access to various online accounts used by individuals using passwords included in the dataset.”
The passwords are compiled from a number of data breaches that occurred over a period of two decades. Between 2021 and 2024, 1.5 billion passwords were added to the file.
Brute force is an attack technique hackers use to hack accounts by using combinations of usernames and passwords until they successfully gain access. By automating the process, an attacker can easily try millions of passwords. A system that is not protected against brute force attacks can quickly fall to an attacker using this password database.
Likewise, the file could also be extremely useful to an attacker using a technique called credential stuffing. Using a database of stolen passwords, particularly those stolen from the target organization, an attacker would have a much greater chance of successfully hacking into a user account. Both online and offline services are at risk, as are internet cameras and industrial hardware, the report said.
“Furthermore, RockYou2024, in combination with other leaked databases on hacker forums and marketplaces, containing for example user email addresses and other login credentials, could contribute to a flood of data breaches, financial fraud and identity theft,” the research team said.
To protect yourself or your organization from a potential attack using this file containing 10 billion credentials, the researchers recommend implementing mitigation strategies and checking the credentials with the Leaked Password Checker.