World's largest stolen password database uploaded to criminal forum
Security researchers have discovered what appears to be the largest password leak of all time, containing around 10 billion unique, plain text passwords. The file, titled "rockyou2024.txt," was posted on a leading hacking forum by a hacker using the name "ObamaCare."
The passwords didn’t leak in a single data breach; they are part of both old and new data breaches. This is bad news for everyone because hackers can use these passwords to access not only your personal data but also your financial information, especially if you use the same password for multiple services.
GET SECURITY ALERTS, EXPERT TIPS - SIGN UP FOR KURT’S NEWSLETTER - THE CYBERGUY REPORT HERE
The massive trove of passwords was discovered by researchers at Cybernews, who believe the leak poses severe dangers to users prone to reusing passwords. The report revealed that the password file, which was posted on BreachForums criminal underground forum, contained an astonishing 9,948,575,739 unique passwords, all in plain text format.
According to Cybernews, RockYou2024 isn’t an entirely new leak. It apparently comprises an earlier credentials database known as RockYou2021, which featured 8.4 billion passwords. The hackers scoured the internet for data leaks, adding another 1.5 billion passwords from 2021 through 2024, increasing the dataset by 15%.
"In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks," researchers said, noting that they cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker.
ObamaCare, the forum member who posted the password file, registered on the forum in May this year but has already leaked multiple other databases. For instance, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from the online casino AskGamblers, and student applications for Rowan College at Burlington County.
ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA
The password leak puts you at risk of credential stuffing attacks, which can be very damaging. Credential stuffing is when someone takes passwords from one data breach and tries to use them to log into other services.
For example, a hacker might use passwords from an AT&T breach or a previous breach with 26 billion records to see if you use the same password for your bank account.
"Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset," the researchers explained.
MASSIVE DATA BREACH EXPOSES OVER 3 MILLION AMERICANS' PERSONAL INFORMATION TO CYBERCRIMINALS
To check if your information was sold on the dark web, you can go to haveibeenpwned.com and enter your email address into the search bar. The website will search to see what data of yours is out there and display if there were data breaches associated with your email address on various sites. You may have even received an email from the website already saying that some of your data was stolen, and you should look into this immediately if that is the case.
If you think you may have been affected by the massive password leak, follow these tips to safeguard yourself.
1) Change your passwords: Never use the same password for multiple services you use. If you recall adding the same password on different apps or websites, consider changing it to something different. Consider using a password manager- to generate and store complex passwords.
2) Set up two-factor authentication (2FA): 2FA is an extra shield that prevents hackers from accessing your accounts. It requires that after entering your password, you add another piece of information. This could be a code sent to your phone via SMS, a code generated by an authenticator app, a fingerprint scan or a hardware token.
3) Remove your personal information from the internet: Although no service can promise total removal of your data from the internet, using a removal service is a smart step. These services can help you monitor and systematically erase your personal information from hundreds of websites, offering you greater privacy and peace of mind. Preventing a scammer from being able to cross-reference your data from a breach from data they may find of yours on the dark web is a smart step to prevent scammers from targeting you. Remove your personal data from the internet with my top picks here.
4) Use a VPN: Consider using a VPN to protect your online activity and data. VPNs will protect you from those who want to track and identify your potential location and the websites that you visit. See my expert review of the best VPNs for browsing the web privately on your Windows, Mac, Android and iOS devices.
5) Monitor your accounts: Regularly review your bank statements, credit card statements and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company. See my tips and best picks on how to protect yourself from identity theft.
The RockYou2024 leak is a wake-up call for everyone who uses the internet. It shows that even the data you entrust to companies might not be completely safe. While we can take steps to protect ourselves, the real responsibility lies with the apps and services we rely on. They need to step up their security game to prevent these huge data breaches from happening in the first place.
What measures do you believe companies should take to protect user data and prevent breaches like the RockYou2024 leak? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you'd like us to cover.
Follow Kurt on his social channels:
Answers to the most asked CyberGuy questions:
Copyright 2024 CyberGuy.com. All rights reserved.