10 billion passwords compromised in largest leak of all time — what you need to know
The real mother of all breaches?
In what is being referred to as one of the largest and most significant data leaks to date, July 4 bore witness to the release of a massive data dump containing nearly 10 billion unique passwords.
The data breach was released on a leading hacking forum by a threat actor under the pseudonym "ObamaCare," with the list itself being dubbed "RockYou2024" — an updated compilation of passwords that builds upon the "RockYou2021" document containing information to over eight billion accounts.
The original "RockYou.txt" data breach occurred in 2009 when the now defunct social application site RockYou was hacked, resulting in the release of 32 million user accounts to the net. Since then, the original list has been added to with further data breaches, reportedly making it one of the largest known repositories of stolen passwords of all time.
With exactly 9,948,575,739 unique passwords freely available to all in plain text format, the publication of this list is a threat to netizens and a call to action on checking the security of accounts old and new.
RockYou2024: How serious is it?
Speaking in a blog post published yesterday, Pieter Amtz of Malwarebytes highlights the threat posed by the updated RockYou document, stating: "The list has some value because it contains real-world passwords."
Amtz continues, "This means if an attacker tried this list of passwords to try to break into an account (known as a brute force attack) they’s be more likely to get in than just trying a list of any old letters and words [sic]."
While a ten billion list of real-world passwords poses a serious threat to some users, it by no means suggests that ten billion users are now at direct risk. The list, while enormous in size, is only half of the information required to access an account.
Stay in the know with Laptop Mag
Get our in-depth reviews, helpful tips, great deals, and the biggest news stories delivered to your inbox.
The contents of RockYou2024 will serve threat actors hoping to purposefully target individual accounts by allowing them the option of checking each password from the breach by trial and error — though most websites would never tolerate brute force attempts like this at a scale offered by the RockYou2024 list.
That's not to say that there's no threat at all, however. The data contained within the ten billion-strong list still has plenty of application in pass-the-hash attacks and the offline cracking of stolen password databases.
RockYou2024: Some have their doubts
While the breach is considerate in size, and a genuine threat to many, Malwarebyte's Amtz points out that those who "Don’t reuse passwords and never use 'simple' passwords, like single words" probably have little to worry about.
However, Amtz also wisely insists people take the necessary safety precautions of enabling multi-factor authentication (MFA) on all accounts possible to protect against unwanted intrusions.
Elsewhere on the internet, security sleuths are questioning the updated RockYou2024 content, claiming much of the additions to the list to be mostly uncracked hashed passwords and random company names among other junk data and over one billion lines of text that are beyond 32 characters in length — which indicates they may not be passwords at all.
I'm calling it: The rockyou2024 release is garbage. File starts with lots of 0x00, and a quick run of strings shows that there are lots of hashed passwords in there (like from /etc/passwd). Also random company names and other stuff. I highly doubt it brings any real value/threat. pic.twitter.com/3maM7BoLOSJuly 5, 2024
How to check if your information was leaked
Despite reassurances from various in-the-know voices, data breaches like RockYou2024 are a notable threat to be aware of. While it may not be the most dangerous breach in recent history, it's a considerable example of how much stolen data is out there on the internet waiting to be misused.
It's estimated that there are over 24 billion stolen credentials to be found online and circulating the dark web, with lists being traded daily containing millions or more combinations of in-use and active user accounts.
With that in mind, with the release of breaches like the updated RockYou list, it's always better to be safe than sorry and check to see if your information is secure by using several free and trusted online services that can let you know if your password is secure or if any of your accounts have been included in prior breaches.
One trusted site we can recommend would be HaveIBeenPwned.com, one of the largest and most reliable repositories of stolen accounts and data breaches online. Here you can search by email to see if any of your accounts have appeared in breaches, and the site's Pwned Passwords Tool search lets you know if the password you're using at present has been found within numerous lists like RockYou2024 found online.
Check out the following article about staying safe against data breaches and checking to see if your email or password has been stolen for more information about HaveIBeenPwned and similar services.
More from Laptop Mag
Rael Hornby, potentially influenced by far too many LucasArts titles at an early age, once thought he’d grow up to be a mighty pirate. However, after several interventions with close friends and family members, you’re now much more likely to see his name attached to the bylines of tech articles. While not maintaining a double life as an aspiring writer by day and indie game dev by night, you’ll find him sat in a corner somewhere muttering to himself about microtransactions or hunting down promising indie games on Twitter.