A user on a notorious hacking forum known for trading data among cybercriminals has allegedly uploaded the largest compilation of stolen or leaked passwords in history, containing a staggering 9,948,575,739 unique credentials.
First reported by online cybersecurity publication Cybernews, the database originally surfaced on July 4 and was posted by a user under the handle "ObamaCare".
The password database was uploaded in a plain text file named rockyou2024.txt and is referred to as RockYou2024.
Following an investigation by Cybernews researchers, the database was found to consist of a mix of data from old breaches and more recent incidents.
They claim that RockYou2024 builds on a prior leak from 2021, known as RockYou2021, which was the largest leaked database of passwords at the time with 8.4 billion credentials. The latest database adds 1.5 billion additional passwords to the total.
Cybernews believes that RockYou2021 was an extension of an even older password database from 2009.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” Cybernews researchers say.
Credential stuffing is a brute force cyberattack method where cybercriminals use databases of passwords to guess login details, since passwords may remain unchanged and be shared across multiple accounts.
Best security practices include not using the same passwords on multiple platforms and enabling multi-factor authentication to protect online accounts. Additionally, keep your software up-to-date and be cautious of phishing attempts.