On July 4, a hacker, ObamaCare, posted a compilation of nearly ten billion unique passwords on a leading hacking forum. The leak is expected to be built on a prior RockYou2021 compilation of 8.4 billion passwords. Learn more about the leak and how people and organizations can protect themselves against such leaks.

July 8, 2024

  • On July 4, a hacker, ObamaCare, posted a compilation of nearly ten billion unique passwords on a leading hacking forum.
  • The leak is expected to be built on a prior RockYou2021 compilation of 8.4 billion passwords.

One of the most significant data leaks in recent history is reported to have occurred on July 4. The leak, dubbed RockYou2024 by the original poster, “ObamaCare”, on a leading hacking forum, compiled 9,948,575,739 unique passwords into plain text. This means close to ten billion passwords were leaked.

That said, the RockYou2024 is primarily a compilation of all previous password leaks and is built on a prior RockYou2021 compilation of 8.4 billion passwords. That means between RockYou2021 and RockYou2024, about 1.5 billion passwords were added to the list. Further, according to the hacker, at least a few of these passwords were cracked using RTX 4090, a tactic that was warned about earlier.

According to Cybernews researchers, “In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks.”

So, what can we expect with this massive data leak going forward? Cybernews researchers said, “The attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware. Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts.”

Simon Lawrence, co-founder and director, i-confidential, told Spiceworks News & Insights:

This leak could be a treasure trove for adversaries. While the passwords might have been compromised from breaches long past, the real threat is around password reuse, which means this vault of passwords could still provide significant value to adversaries.

Password reuse plagues organizations and almost all internet users are guilty of it. But when passwords are reused, criminals have more opportunities to launch multiple attacks by stealing a single password.”

“When criminals steal one valid login, they will test it on other networks, whether corporate or personal. In many cases, this gives them entry into further accounts, enabling them to steal money or sensitive information or even execute huge ransomware attacks. Just look at the recent attack on Change Healthcare for proof. Very few organizations realize the true power of the password until it’s too late,” said Lawrence.

See more: Polyfill Supply Chain Attack Affects More Than 110,000 Websites

Use Secure Password Options

So, what can people and businesses do to protect themselves? One way individuals can protect themselves is to change their passwords semi-frequently. They can also use a secure password manager or securely generate and store complex passwords instead of cycling through a few different passwords. Further, they can use two-factor authentication (2FA) or multi-factor authentication (MFA). For people whose passwords have already been exposed, Cybernews researchers suggest they immediately reset passwords for all accounts associated with the leaked passwords. Researchers also recommend selecting strong and unique passwords that are not used across multiple platforms.

For organizations, Lawrence says, “Firstly, educate employees on the dangers of password reuse. Teach them that using the same password across multiple accounts makes it easier for criminals to harm them both personally and professionally. Organizations can also use single sign-on tools, which remove the need for employees to manage multiple passwords, as this can also clamp down on password reuse.

Additionally, it is vital to use MFA on all enterprise accounts. When organizations do this, it bolsters their security and means this trove of passwords will only provide half the keys required to access their networks, significantly devaluing the data for adversaries.”

MORE ON CYBERSECURITY

Karthik Kashyap

Karthik comes from a diverse educational and work background. With an engineering degree and a Masters in Supply Chain and Operations Management from Nottingham University, United Kingdom, he has experience of close to 15 years having worked across different industries out of which, he has worked as a content marketing professional for a significant part of his career. Currently, as an assistant editor at Spiceworks Ziff Davis, he covers a broad range of topics across HR Tech and Martech, from talent acquisition to workforce management and from marketing strategy to innovation. Besides being a content professional, Karthik is an avid blogger, traveler, history buff, and fitness enthusiast. To share quotes or inputs for news pieces, please get in touch on [email protected]