Many internet users rushed to change their most important passwords earlier this month when a hacker leaked nearly 10 billion credentials in a .txt file titled “RockYou2024.” But according to one cybersecurity researcher, the leak might not be as big of a deal as previously thought. Though the password database appears legitimate at first glance, a large chunk of the alleged credentials is reportedly AI-generated fluff that no real website would accept.
Ata Hakcil, cybersecurity research team lead at WizCase, discovered the partial fluke after an extensive RockYou2024 investigation. Upon opening the 155GB file, Hakcil filtered out random, unreadable lines and passwords shorter than six characters, which aren’t permitted on most websites. This removed roughly 1.9 million lines—passed off as passwords by leaker “ObamaCare”—from the list. Hakcil then got to work inspecting the remaining credentials…only to find that the file was full of “absolute Markovian generated bullshit.”
To start, many of the passwords contained 100 to 200 characters, making them unusable in any practical setting. Hakcil filtered his list down to passwords containing six to 12 characters—the count where he says most real passwords reside. This shrank the list to 5.9 billion passwords, meaning at least 40% of the RockYou2024 leak was likely fake.
Many of the 5.9 billion remaining passwords are thought to be AI-generated, too, though it’s difficult to tell precisely how many. “We can tell that these are not passwords suggested/auto-filled by password manager tools because the data contains password strings that could be considered sequential with each other (for example, ‘!Zorack’ and ‘!ZoraCk’), passwords that are way outside of the length range of password manager tools, and lack the inherent randomness that password managers rely on,” Hakcil told ExtremeTech in an email. “A significant majority of [the 5.9 billion remaining passwords] are definitely generated and useless, but we can’t say it for all of them.”
A handful of RockYou2024 “passwords” that Hakcil is confident are fake.
Credit: Ata Hakcil
A cybersecurity enthusiast named Dreadnaught on X (formerly Twitter) similarly found that some, but not all, of the filtered passwords were made up. “I’m matching data to two alleged dumps at the moment,” they wrote Saturday. “Still a ton of useless data in it.” Dreadnaught reportedly found 200 million passwords that matched with more credible leaks.
Hakcil, for one, is fairly confident that many of the passwords are AI-generated due to a mistake he made early on in his career. “In the early days of developing my [own] password generation tool, admittedly, I took a few shortcuts,” he said in a writeup published Tuesday on the WizCase website. “One of the mistakes my early tool made was counting the “null terminator” (a technical character used to mark the end of a string) as part of the password length. This little oversight meant the maximum generated password would always fall one character short—precisely at 41 characters if the number picked was 42.”
Due to its significance in The Hitchhiker’s Guide to the Galaxy, 42 is a commonly chosen character limit among “hackers and geeks,” Hakcil said. It’s strange, then, that many so-called passwords included in the RockYou2024 leak would be exactly 41 characters, if they weren’t made using Hakcil’s tool. Hakcil told ExtremeTech that the tool is fairly popular these days and is now used by “legitimate white-hat security professionals around the world,” meaning it could have easily been used by ObamaCare for the fudged leak.
But why would a cybercriminal fake a password leak? “Something not well-known outside of security circles is that hacking forums, such as breachforums or the now-defunct raidforums, have a huge economy built on credits,” Hakcil told us. “To download files shared by other users, you need credits, which you can pay for or earn by sharing leaks yourself. I personally think this user has created this huge leak to earn reputation or credits on the hacking forums, which they used to gain access to other leaks or posts by other users.”
In his own writeup, Hakcil was careful to point out that while a large portion of RockYou2024’s passwords appear fake, it’s still possible that some internet users’ real passwords were leaked. “While the RockYou2024 leak might be a strange case of digital déjà vu, it serves as a valuable reminder for everyone to prioritize good cybersecurity habits,” he said. “Stay vigilant and use strong passwords.”
This post was originally published on 3rd party site mentioned in the title of this site
