Largest data dump of passwords ever hit the internet on July 4th - The UpStream

Hero Image

Largest data dump of passwords ever hit the internet on July 4th

posted Sunday Jul 7, 2024 by Scott Ertz

In a staggering revelation, researchers at Cybernews have uncovered what they're calling the largest password compilation ever. The file, titled rockyou2024.txt and released on the Fourth of July, emerged on a popular hacking forum, posted by a user known as ObamaCare. Within this file lies a mind-boggling 9,948,575,739 unique plaintext passwords. This means that there is no encryption and anyone can read the database directly. This collection is the largest database of passwords ever released, making this an unprecedented attack on public safety and security.

What is RockYou2024?

The RockYou2024 file is a mix of old and new data breaches, spanning over two decades. While it's not necessarily a recent breach, its sheer size substantially heightens the risk of credential-stuffing attacks. Credential stuffing occurs when hackers use passwords obtained from one breach to infiltrate unrelated services. For instance, a password from an old AT&T breach might be tested against your bank account.

The base of the leak is actually RockYou2021, which was the same leak from several years ago. The database at the time contained around 8.4 billion passwords, also in clear text. So, this includes only an additional 1.6 billion new passwords. It also includes data from other password leaks over the past 3 years. So, very little of what we see is actually new, but it does provide a lot of data in one place. However, some of the data did come from an in-house hacking process using the NVIDIA GeForce RTX 4090 graphics card.

What does this data provide?

While technically a database of passwords might appear close to useless, there is actually a lot of value to the collection. This database can be used as the basis for a password-stuffing attack. This style of hacking uses a collection of known passwords as the core of an attack to access an account.

Since usernames are so often email addresses, and email addresses are usually public, the only side of the hack that is needed is the password. When you combine the known email address with the collection of passwords, you have an easier time finding a matching combination.

What should you do next?

Before you panic, check and see if your password has been compromised. The same security group that discovered the leak offers a Password Leak Checker. You can enter your password and it will check if it exists in any of the known data leak collections. If you discover that your password has been released in one of the many data leaks tracked by CyberNews, you should change it immediately. If you do not find it, for the time being, you are safe. However, you should still be using secure password strategies.

Some security experts recommend that you should avoid reusing passwords between services. However, others suggest a hierarchy of passwords - one for unimportant services, one for mid-tier services, and one for ultra-secure passwords. In addition, for any service that offers multi-factor authentication, you should be using it. Ideally, you should use a physical MFA device like a Yubikey. If you can't use that, you should use a code generator like Microsoft Authenticator or Google Authenticator.


Login to CommentWhat You're Saying

Be the first to comment!

We're live now - Join us!



Forgot password? Recover here.
Not a member? Register now.
Blog Meets Brand Stats