“A treasure trove for adversaries”: 10 billion stolen passwords have been shared online in the biggest data leak of all time

Gold shield with padlock symbol hovers above a CPU on a multicoloured circuit board
(Image credit: Getty Images)

A compilation of almost 10 billion passwords was posted to an underground hacking forum last week, which some researchers have described as the largest password leak ever.

On July 4, a forum user by the name of ‘ObamaCare’ posted a .txt file, titled ‘rockyou2024.txt’ containing 9,948,575,739 unique plaintext passwords, with security experts warning the file would be a gold mine for hackers.

Researchers from Cybernews cross-checked the passwords included in the file with their password checker and found it was a compilation of passwords exposed in a number of recent and older data breaches.

The file comprises an earlier credential database known as rockyou2021, the previous record holder for the largest leaked password compilation, which featured 8.4 billion passwords.

This latest iteration is thought to contain information extracted from over 4,000 databases over more than two decades.

Simon Lawrence, co-founder and director at security consultancy i-confidential, said that although the cache may contain old passwords, they could still be used to great effect by potential attackers.

“While the passwords might have been compromised from breaches long past, the real threat is around password reuse, which means this vault of passwords could still provide significant value to adversaries,” he explained.

“Password reuse plagues organizations and almost all internet users will be guilty of it. But when passwords are reused, this provides more opportunity for criminals to launch multiple attacks through the theft of a single password.”

Lawrence detailed how threat actors can feed the information contained in databases like rockyou2024 into credential-stuffing attacks to compromise other corporate or personal accounts.

“When criminals steal one valid login, they will test it on other networks, whether corporate or personal, and in many cases this provides them with entry into further accounts, enabling them to steal money or sensitive information, or even execute huge ransomware attacks. Just look at the recent attack on Change Healthcare for proof. Very few organizations realize the true power of the password until it’s too late.”

Second gargantuan password leak of 2024

Rockyou2024 is the second major trove of credentials to be leaked online this year, after a staggering 26 billion record data leak was released by an unknown source in January.

The incident, referred to as the ‘mother of all breaches’ saw records from historic breaches of major platforms such as LinkedIn, Dropbox, Deezer, Tencent, Twitter, and more.

The scale of the leak saw experts urge individuals and businesses alike to reassess their policies around password reuse and multifactor authentication (MFA).

Similarly, Lawrence said organizations will need to take the same precautions in response to rockyou2024.

RELATED WHITEPAPER

How identity threat protection solves modern business challenges

(Image credit: Crowdstrike)

Prevent identity-based attacks

“Despite this huge trove of passwords being available online, there are still ways organizations can protect themselves,” he noted.

“Firstly, educate employees on the dangers of password reuse. Teach them that using the same password across multiple accounts makes it easier for criminals to harm them both personally and professionally.”

Using single sign-on tools is another way businesses can help their staff manage multiple hard-to-remember passwords.

“Organizations can also use single sign-on tools, which remove the need for employees to manage multiple passwords, as this can also clamp down on password reuse,” he advised.

“Additionally, it is also vital to use MFA on all enterprise accounts. When organizations do this, it bolsters their security and means this trove of passwords will only provide half the keys required to access their networks, which significantly devalues the data for adversaries.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.