Disclosure of nearly 10 billion unique passwords
Recently, the largest password collection titled #RockYou2024 was published in one of the hacker forums, which has nearly ten billion unique passwords.
In this post, we examined these passwords, possible risks and how to determine whether our passwords are in this leak or not.
To download the 45 GB sample (), you can use this link or this link .
#بازیگران_تهدید #افشای_اطلاعات
Recently, the biggest password collection called RockYou2024 was published in one of the hacker forums, which has nearly ten billion unique passwords.
This password set, discovered by Cybernews researchers, contains 9,948,575,739 unique passwords that were published in a 45 GB file named rockyou2024.txt by a user named ObamaCare on July 4.
In fact, this file is a continuation of the RockYou2021 file that was released in 2021, which contained 8.4 billion passwords collected from 2009 onwards. The publisher has added the leaks of these three years, 2021 to 2024, to this file, which is about 1.5 billion new records and a 15% increase, and published it under the name RockYou2024.
This file only contains passwords, to be more precise, the passwords that have been disclosed in various leaks have been collected and presented in the form of a file. However, threat actors can use this data in credential stuffing attacks.
In Credential Stuffing attacks, threat actors gain access to accounts by checking published usernames and passwords.
For this method, a script is often developed, which automatically takes a list of usernames and passwords and tests them one by one.
This technique often targets users who either do not change their passwords after disclosure or use the same password for multiple accounts, which is called Password Recycling.
Daniel Card, the founder of the cyber security company PwnDefend, said about this leak: I know it may sound funny, but what does 1.5 billion new passwords matter? When databases reach such a turning point in terms of the number and uniqueness of passwords, it doesn’t matter how many new passwords are added. When we look at how people choose passwords, does it change the world? Probably not. I don’t think this will in any way change the threat posed by actors in this area.
Other cybersecurity experts agree with Daniel Card. Ian Thornton-Trump, senior director of threat intelligence at Cyjax, said in this regard: This huge amount of data, despite the fact that it shows the terrible state of identity management and access control, as well as the lack of protection of this information, can be a shock and concern. But I think it will reach a point where the immense size of this collected data will make it almost useless. Of course, he confirms that this will happen, but the real issue is the lack of multi-step authentication (MFA), which still does not exist in many organizations around the world. He concludes that there may be a need for laws to make the use of MFA mandatory for logging into SaaS platforms.
You must be logged in to post a comment.