• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

10 billion passwords leaked in the largest compilation of all time

Spyxos

Spyxos

Gold Member
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.


Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.

“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.

rockyou2024-post.png


 
Last edited:
MudoSkills

MudoSkills

Volcano High Alumnus (Cum Laude)
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.
 
AV

AV

We ain't outta here in ten minutes, we won't need no rocket to fly through space
MudoSkills said:
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.
Click to expand...

Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
 
Solarstrike

Solarstrike

Member
They need to be executed IRL. Death penalty to hackers (if the governments don't need them after they're caught). Fuck hackers and criminals in general. World is far too weak on crime.
 
Last edited:
Trogdor1123

Trogdor1123

Member
I have a few I know have been compromised but I just don’t care as I never use those things anymore and can’t bothered to change my password on a local burrito shop app.
 
RiccochetJ

RiccochetJ

Gold Member
I feel somewhat safe despite this news because I've turned on passkey for all my accounts that offer it and seeing as I used to use lastpass, I had to reset everything because of their own breach not long ago.
 
Golgo 13

Golgo 13

The Man With The Golden Dong
AV said:
Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
Click to expand...
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.
 
  • Like
Reactions: AV
LavitzSlambert

LavitzSlambert

Member
Golgo 13 said:
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.
Click to expand...

If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
 
jshackles

jshackles

Gentlemen, we can rebuild it. We have the capability to make the world's first enhanced store. Steam will be that store. Better than it was before.
In addition to 2FA as others have mentioned, you should have a password manager with a built-in password generator - and be using it for every site you sign up for. We have the technology to not have to remember (let alone reuse) passwords in 2024. Don't be a sucker.
 
Pejo

Pejo

Member
Probably not updated with this new event, but always worth checking regardless.

haveibeenpwned.com

Have I Been Pwned: Check if your email has been compromised in a data breach

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
haveibeenpwned.com haveibeenpwned.com

It's a site that you can use to search for your email to see if it's been compromised in any number of hacks/leaks/breaches/etc.
 
Last edited:
ItsGreat

ItsGreat

Member
This podcast explains clearly what hackers can do with a list of passwords that big. Statistical priorities and probabilities will be honed with a 10 billion sample set.

darknetdiaries.com

RockYou – Darknet Diaries

In 2009 a hacker broke into a website with millions of users and downloaded the entire user database. What that hacker did with the data has changed the way we view account security even today.
darknetdiaries.com darknetdiaries.com
 
Golgo 13

Golgo 13

The Man With The Golden Dong
LavitzSlambert said:
If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
Click to expand...
Read something today in the SysAdmin Reddit about how phishing attempts are now focused on capturing O365 Authentication tokens via proxy, which can be re-used to authenticate via even Authentication apps, bypassing 2FA.
 
You must log in or register to reply here.

Similar threads

Ken Kutaragi is the Greatest 'emperor' Of All Time and remains SIE's only true visionary
Opinion 2 3 4
155
13K
Moses85 replied
Stolen CD Projekt data including Cyberpunk 2077 source code has reportedly leaked
Drama Game Dev 2
88
11K
Halo is Back replied
Hundreds of Millions of Phone Numbers From Facebook Accounts Leaked Online
7
900
bucyou replied
Scientists Develop ‘Absolutely Unbreakable’ Encryption Chip Using Chaos Theory
News Clickbait
16
2K
Avasarala replied
Yahoo now believes all 3 billion of its accounts affected by 2013 breach
2
50
7K
GuessMyUserName replied
Top Bottom