Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
So much larger than life—a big time forum leak on July 4 exposed some 10 billion passwords.
Called RockYou2024 after the rockyou2024.txt document a user posted to a popular hacking forum, the leak presents a threat to security around the world, according to Cybernews researchers.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world,” the researchers said. “Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”
So much larger than life. The scale of the leak is enormous. It’s believed to be the largest password compilation breach ever. Users on reddit forums like r/hacking posted that the full document, once unzipped, is a staggering 145GB. Three years ago, the RockYou2021 leak exposed 8.4 billion passwords.
“Combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the Cybernews team said.
Make it show. But some analysts also cautioned that the data might not be as useful to threat actors as feared.
“The dataset is too large to be of any realistic use as part of any effort to crack a given hash—it’s simply too much low-quality data to successfully use in attacks—and the value of the data is negligible compared to good prepared wordlists and rulesets in the hands of a capable actor,” Darren James, Specops Software senior product manager, told Dark Reading.
On Mastodon, researcher Royce Williams claimed that only 190 million of the strings were useful—a large number but far fewer than 10 billion.
“If you’re a pentester or other ‘normal’ password cracker, you can probably just skip RockYou2024,” Williams wrote. “It’s only going to be useful if you’re a completionist who’s trying to crack other mashups.”
A big noise. Given the scope of the leak and the potential threats to user accounts, Cybernews researchers recommended resetting all passwords, enabling multi-factor authentication, and using password manager software.
“These days there is no excuse for not using a unique password for every account—especially as data breaches continue to increase,” ESET global cybersecurity advisor Jake Moore told TechRepublic. “Criminals can exploit known credentials across multiple accounts and many people using the same password across different sites are at risk of being compromised.”