• Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.

10 billion passwords leaked in the largest compilation of all time

Spyxos

Member
The largest password compilation with nearly ten billion unique passwords was leaked on a popular hacking forum. The Cybernews research team believes the leak poses severe dangers to users prone to reusing passwords.


Cybernews researchers discovered what appears to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords. The file with the data, titled rockyou2024.txt, was posted on July 4th by forum user ObamaCare.

While the user registered in late May 2024, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

The team cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker, which revealed that these passwords came from a mix of old and new data breaches.

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.

“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.

rockyou2024-post.png


 
Last edited:

MudoSkills

Volcano High Alumnus (Cum Laude)
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.
 

AV

We ain't outta here in ten minutes, we won't need no rocket to fly through space
Surely the only information anybody is interested in is where the passwords have come from - which isn't in the article, helpfully.

Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
 

Solarstrike

Member
They need to be executed IRL. Death penalty to hackers (if the governments don't need them after they're caught). Fuck hackers and criminals in general. World is far too weak on crime.
 
Last edited:

Trogdor1123

Gold Member
I have a few I know have been compromised but I just don’t care as I never use those things anymore and can’t bothered to change my password on a local burrito shop app.
 

RiccochetJ

Gold Member
I feel somewhat safe despite this news because I've turned on passkey for all my accounts that offer it and seeing as I used to use lastpass, I had to reset everything because of their own breach not long ago.
 

Golgo 13

The Man With The Golden Dong
Everywhere, going back decades. It's just a compilation of existing PW lists. Basically the point of rockyou is to use it in conjunction with a script to brute force any account that has no kind of attempt limitation on it, which isn't much these days, but this'll be useful to someone somewhere.

As always, sign up to HIBP or a similar service to ensure you're notified of any breached PWs so you can change them as necessary. Or use a manager, not my preferred method, but it's there.
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.
 
  • Like
Reactions: AV
Could also be used in offline attacks, password cracking from stolen hashes of passwords (given that the passwords aren't further protected, which they should be).

rockyou has been a hacking staple for a longtime. This update is interesting, but yes, 2FA (preferably with an Authentication app) is quite a nice layer of extra security, as mentioned elsewhere in this thread. It's inconvenient like all security, but does make it harder to be fucked with online.

If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
 

jshackles

Gentlemen, we can rebuild it. We have the capability to make the world's first enhanced store. Steam will be that store. Better than it was before.
In addition to 2FA as others have mentioned, you should have a password manager with a built-in password generator - and be using it for every site you sign up for. We have the technology to not have to remember (let alone reuse) passwords in 2024. Don't be a sucker.
 

Pejo

Member
Probably not updated with this new event, but always worth checking regardless.


It's a site that you can use to search for your email to see if it's been compromised in any number of hacks/leaks/breaches/etc.
 
Last edited:

ItsGreat

Member
This podcast explains clearly what hackers can do with a list of passwords that big. Statistical priorities and probabilities will be honed with a 10 billion sample set.

 

Golgo 13

The Man With The Golden Dong
If the passwords aren't salted. The most effective deterrent is, as always, MFA using a modern authenticator along with a dose of awareness as not to accept a login that you didn't initiate.
Read something today in the SysAdmin Reddit about how phishing attempts are now focused on capturing O365 Authentication tokens via proxy, which can be re-used to authenticate via even Authentication apps, bypassing 2FA.
 
Top Bottom