According to cybersecurity researchers from Cyber News.
This leak, dubbed “ObamaCare” RockYou2024 by the original poster, contains a file containing nearly 10 billion unique plaintext passwords.
The passwords were reportedly collected from a series of data breaches and hacks that occurred over several years. They were posted on July 4 and are being touted as the largest collection of stolen and leaked credentials ever to appear on the forum.
“In essence, the RockYou2024 leak is a compilation of real passwords used by people around the world,” the researchers told Cybernews. “Revealing that many passwords are shared by threat actors significantly increases the risk of credential stuffing attacks.”
Credential stuffing attacks are among the most common methods used by criminals, ransomware organizations, and state-sponsored hackers to gain access to services and systems.
According to the research team, cybercriminals could abuse RockYou2024’s password collection to perform brute-force attacks on any unprotected system and “gain unauthorized access to various online accounts used by individuals whose passwords are included in the dataset.”
This may affect online services, cameras and hardware
This can impact a variety of targets, from online services to Internet cameras and industrial hardware.
“Furthermore, RockYou2024, in combination with other leaked databases on hacker forums and marketplaces, containing, for example, user email addresses and other login credentials, could contribute to a flood of data breaches, financial fraud, and identity theft,” the team concluded.
Despite the severity of the data breach, it is important to note that RockYou2024 is largely a compilation of previous password leaks. It is estimated that the data comes from a total of 4,000 massive databases of stolen credentials, spanning a period of at least two decades.
Notably, this new file includes an earlier credentials database known as RockYou2021, which contained 8.4 billion passwords. RockYou2024 added approximately 1.5 billion passwords to the collection, spanning 2021 through 2024, which, while a huge number, is just a fraction of the reported 9,948,575,739 passwords in the leak.
So users who have changed their passwords since 2021 may not have to worry about a potential data breach.
That said, Cybernews’ research team stressed the importance of maintaining data security. In response to the breach, they recommend immediately changing passwords for all accounts linked to the leaked credentials, and ensuring that each password is strong, unique, and not reused across platforms.
They also recommended enabling multi-factor authentication (MFA), which requires an additional form of verification beyond the password where possible to enhance cybersecurity.
Finally, technology users should use password management software. This software generates and securely stores complex passwords, reducing the risk of reusing passwords across multiple accounts.