10 billion passwords exposed in largest leak ever: Report
The compilation of leaked passwords, RockYou2024, was shared by a user named ‘ObamaCare’ on a popular hacking forum
A hacker has leaked nearly 10 billion passwords in the biggest haul of all times, researchers at Cybernews reported.
The compilation of leaked passwords, RockYou2024, was shared by a user named 'ObamaCare' on a popular hacking forum on Thursday.
This is not the first time that 'ObamaCare' has posted stolen data on the internet. Previously, the report said the user has shared an employee database from the law firm Simmons & Simmons, a lead from online casino AskGamblers, and applications for Rowan College at New Jersey.
The researchers at Cybernews, who studied the dataset, said it was compiled for more than 10 years and the released dataset is the third such dataset.
The 'RockYou2024' dataset is the compilation of several newly-stolen passwords and many previously stolen, researchers said in the report.
In 2021, a dataset named 'RockYou2021' was released that had around 8.4 billion stolen passwords. The latest dataset added around 1.5 billion more passwords to this database.
In turn, the dataset uploaded in 2021 was built upon another dataset released in 2009 that had "tens of millions user passwords for social media accounts", according to the report.
How can such leaks harm you?
Passwords leaked in such datasets can be used to mount credential stuffing attacks and brute force attacks.
Credential stuffing attacks refer to the criminals' practice of using passwords stolen from one device or account to gain access to another device or account. The premise is that users often use a common password across different accounts and devices, so criminals rely on such passwords to access other or all of the users' accounts.
A brute force attack refers to criminals employing a trial-and-error approach to systematically guess sign-in information, passwords, and encryption keys.
Cybernews researchers said the 10-billion-strong database can be used to target everything from online to offline services to internet-facing cameras and industrial hardware.
"Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts," said the researchers.