Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
10B Passwords Pop Up on Dark Web 'RockYou2024' Release
The passwords, dumped on a cyber-underground forum on July 4 by a hacker called "ObamaCare," were collected from a variety of older and more recent breaches.
1 Min Read
Source: designer491 via Alamy Stock Photo
A user has leaked nearly 10 billion unique plaintext passwords on a popular hacking forum, seemingly obtained through several past breaches.
The list is coined RockYou2024, due to its file name, rockyou.txt.
Researchers say that while the list does have some value for attackers to make a brute-force attack, it's unlikely that any website would allow a threat actor to try such a significant number of passwords. If cybercriminals wish to combine the list with data from other breaches, however, they could possibly get results if passwords have been reused, which could lead to a successful credential-stuffing attack.
“The dataset is too large to be of any realistic use as part of any effort to crack a given hash — it's simply too much low-quality data to successfully use in attacks — and the value of the data is negligible compared to good prepared wordlists and rulesets in the hands of a capable actor," says Darren James, a senior product manager at Specops Software.
Users are likely safe if they're careful and are not reusing passwords. They should also make sure their passwords are unique and complex, and implement multifactor authentication (MFA) wherever possible.
"[Instead of worrying about the dump], organizations would be better off focusing on best practices like encouraging passphrases, protecting against actual compromised passwords, and defending against targeted wordlist attacks with custom block lists," James says. "RockYou2024 is just as another clickbait compilation."
About the Author
You May Also Like
More Insights
