A record-breaking collection of stolen passwords has been uploaded to a well-known crime forum, posing significant security threats worldwide. The database, named RockYou2024, contains nearly 10 billion unique passwords, according to cybersecurity researchers. The hacker, operating under the pseudonym 'ObamaCare', allegedly gathered these passwords from numerous data breaches and hacks over several years.

RockYou2024: The largest compilation of stolen passwords

Security experts from Cybernews reported the discovery of the RockYou2024 password database on the BreachForums criminal underground forum. The database includes 9.95 billion unique passwords in plaintext format. This compilation builds upon the RockYou 2021 database, which contained 8.4 billion passwords, incorporating approximately 1.5 billion new entries from 2021 to 2024. The latest file is said to contain passwords from 4,000 significant databases of stolen credentials, covering over two decades.

The researchers from Cybernews explained that the RockYou2024 leak is a compilation of real-world passwords used by individuals worldwide, significantly increasing the risk of credential stuffing attacks.

Questions about the integrity of RockYou2024

Despite the vast volume of the RockYou2024 leak, some cybersecurity experts have raised concerns about the data's integrity. Some researchers suggest that much of the data may be of little use to cybercriminals. In response, Cybernews stated that their researchers had verified around 30 GB of the data and found a 100% match with part of the RockYou dataset. However, they did not thoroughly investigate all the datasets.

Cybernews clarified that their aim is to inform the public about potential risks, not to provide the dataset to threat actors.

Implications of the RockYou2024 leak

Credential stuffing attacks, where hackers use stolen credentials to gain unauthorised access to accounts, are a common and effective method for cybercriminals. The RockYou2024 database could enable such attacks on a massive scale, targeting various online services, internet-facing cameras, and even industrial hardware. Combined with other leaked databases containing email addresses and other credentials, RockYou2024 could lead to widespread data breaches, financial fraud, and identity theft.

Expert opinions and recommended actions

Despite the alarming size of the RockYou2024 leak, some security experts downplayed its impact. Daniel Card, founder of the PwnDefend security consultancy, stated to Forbes that the additional passwords would not significantly change the threat actors' capability. Jake Moore, global cybersecurity advisor for ESET, advised using password managers to generate and securely store complex passwords. Others suggested that the vast size of the aggregated data might render it less useful.

Experts recommend using unique passwords for every account and employing multi-factor authentication (MFA) to enhance security.