Security researchers have discovered what appears to be the largest password leak of all time, containing around 10 billion unique plaintext passwords. The file, titled “rockyou2024.txt,” was posted on a leading hacking forum by a hacker using the name “ObamaCare.”
The passwords didn’t leak in a single data breach; they are part of both old and new data breaches. This is bad news for everyone because hackers can use these passwords to access not only your personal data but also your financial information, especially if you use the same password for multiple services.
GET SECURITY ALERTS, EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER – THE CYBERGUY REPORT HERE
What you need to know about RockYou2024 leak
The massive trove of passwords was discovered by researchers at Cybernews, who believe the leak poses severe dangers to users prone to reusing passwords. The report revealed that the password file, which was posted on BreachForums criminal underground forum, contained an astonishing 9,948,575,739 unique passwords, all in plaintext format.
According to Cybernews, RockYou2024 isn’t an entirely new leak. It apparently comprises an earlier credentials database known as RockYou2021, which featured 8.4 billion passwords. The hackers scoured the internet for data leaks, adding another 1.5 billion passwords from 2021 through 2024, increasing the dataset by 15 percent.
“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said, noting that they cross-referenced the passwords included in the RockYou2024 leak with data from Cybernews’ Leaked Password Checker.
ObamaCare, the forum member who posted the password file, registered on the forum in May this year but has already leaked multiple other databases. For instance, they have previously shared an employee database from the law firm Simmons & Simmons, a lead from the online casino AskGamblers, and student applications for Rowan College at Burlington County.
ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA
How does this leak affect you?
The password leak puts you at risk of credential stuffing attacks, which can be very damaging. Credential stuffing is when someone takes passwords from one data breach and tries to use them to log into other services.
For example, a hacker might use passwords from an AT&T breach or a previous breach with 26 billion records to see if you use the same password for your bank account.
“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the researchers explained.
MASSIVE DATA BREACH EXPOSES OVER 3 MILLION AMERICANS’ PERSONAL INFORMATION TO CYBERCRIMINALS
How can I check if my information was sold on the dark web?
To check if your information was sold on the dark web, you can go to haveibeenpwned.com and enter your email address into the search bar. The website will search to see what data of yours is out there and display if there were data breaches associated with your email address on various sites. You may have even received an email from the website already saying that some of your data was stolen, and you should look into this immediately if that is the case.
What do I do if my data has been stolen?
If you think you may have been affected by the massive password leak, follow these tips to safeguard yourself.
1) Change your passwords: Never use the same password for multiple services you use. If you recall adding the same password on different apps or websites, consider changing it to something different. Consider using a password manager to generate and store complex passwords.
2) Set up two-factor authentication (2FA): 2FA is an extra shield that prevents hackers from accessing your accounts. It requires that after entering your password, you add another piece of information. This could be a code sent to your phone via SMS, a code generated by an authenticator app, a fingerprint scan, or a hardware token.
3) Remove your personal information from the internet: Although no service can promise total removal of your data from the internet, using a removal service is a smart step. These services can help you monitor and systematically erase your personal information from hundreds of websites, offering you greater privacy and peace of mind. Preventing a scammer from being able to cross reference your your data from a breach from data they may find of yours on the dark web is a smart step to prevent scammers from targeting you.
A service like Incogni can help you remove all this personal information from the internet. It has a very clean interface and will scan 195 websites for your information and remove it and keep it removed.
Special for CyberGuy Readers (60% off): Incogni offers A 30-day money-back guarantee and then charges a special CyberGuy discount only through the links in this article of $6.49/month for one person (billed annually) or $13.19/month for your family (up to 4 people) on their annual plan and get a fully automated data removal service, including recurring removal from 175+ data brokers. I recommend the family plan because it works out to only $4.12 per person per month for year-round coverage. It’s an excellent service, and I highly recommend at least trying it out to see what it’s all about.
4) Use a VPN: Consider using a VPN to protect your online activity and data. VPNs will protect you from those who want to track and identify your potential location and the websites that you visit.
My top recommendation is ExpressVPN. It has a quick and easy setup, is available in 105 countries, and will not log your IP address, browsing history, traffic destination or metadata, or DNS queries.
Right now you can get 3 extra months FREE with a 12-month ExpressVPN plan. That’s just $6.67 per month, a saving of 49%! Try 30 days risk-free.
5) Monitor your accounts: Regularly review your bank statements, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company. See my tips and best picks on how to protect yourself from identity theft.
Kurt’s key takeaway
The RockYou2024 leak is a wake-up call for everyone who uses the internet. It shows that even the data you entrust to companies might not be completely safe. While we can take steps to protect ourselves, the real responsibility lies with the apps and services we rely on. They need to step up their security game to prevent these huge data breaches from happening in the first place.
What measures do you believe companies should take to protect user data and prevent breaches like the RockYou2024 leak? Let us know in the comments below.
FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE
Copyright 2024 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.