10B Passwords Pop Up on Dark Web 'RockYou2024' Release

A user has leaked nearly 10 billion unique plaintext passwords on a popular hacking forum, seemingly obtained through several past breaches.

The list is coined RockYou2024, due to its file name, rockyou.txt.

Researchers say that while the list does have some value for attackers to make a brute-force attack, it's unlikely that any website would allow a threat actor to try such a significant number of passwords. If cybercriminals wish to combine the list with data from other breaches, however, they could possibly get results if passwords have been reused, which could lead to a successful credential-stuffing attack.

“The dataset is too large to be of any realistic use as part of any effort to crack a given hash — it's simply too much low-quality data to successfully use in attacks — and the value of the data is negligible compared to good prepared wordlists and rulesets in the hands of a capable actor," says Darren James, a senior product manager at Specops Software. 

Users are likely safe if they're careful and are not reusing passwords. They should also make sure their passwords are unique and complex, and implement multifactor authentication (MFA) wherever possible.

"[Instead of worrying about the dump], organizations would be better off focusing on best practices like encouraging passphrases, protecting against actual compromised passwords, and defending against targeted wordlist attacks with custom block lists," James says. "RockYou2024 is just as another clickbait compilation."