Researchers at Cybernews have uncovered a massive trove of nearly 10 billion passwords on a popular hacking forum in what they’re calling the “largest password compilation” ever.
The file, titled rockyou2024.txt, was posted on July 4 by someone using the alias ObamaCare and contains an astonishing 9,948,575,739 unique plaintext passwords. Despite the user joining the forum only in late May, they have already posted data from other breaches. According to Cybernews, this RockYou2024 file is “a mix of old and new data breaches.” This means that the compilation isn’t from a single new breach but includes passwords gathered from multiple breaches over time, which substantially heightens the risk of credential stuffing attacks.
Credential stuffing is a technique where cybercriminals take passwords obtained from one data breach and use them to try to log into unrelated services. For instance, someone might use a password obtained from an AT&T breach to see if it also works for your bank account. This isn’t the first RockYou password drop, but it is the largest. In 2021, RockYou2021 included 8.4 billion plain text passwords. Cybernews suspects the current file version contains a compilation of passwords obtained over the past 20 years, including those original 8.4 billion, so there’s a good chance at least one of your passwords is in it.
To see if your passwords are at risk, Cybernews offers a Leaked Password Checker where you can plug in codes to check if they’ve been exposed. If you find one of yours or suspect it may be weak, change it immediately to a strong password. Additionally, double-check your other accounts to ensure you’re not reusing passwords across services. Enabling multi-factor authentication where available and using a password manager can also help you keep things secure and organized.