‘RockYou2024’: Nearly 10 billion passwords leaked online

On a popular hacking form, a user has leaked a file that contains 9,948,575,739 unique plaintext passwords. The list appears to be a compilation of passwords that were obtained during several old and more recent data breaches.

The list is referred to as RockYou2024 because of its filename, rockyou.txt.

To cybercriminals the list has some value because it contains real-world passwords. This means if an attacker tried this list of passwords to try to break into an account (known as a brute force attack) they’s be more likely to get in than just trying a list of any old letters and words. However, it’s highly unlikely that there are any services or websites that would allow anyone to try such an enormous number of passwords, so it’s really only useful to attackers who have stolen a password database and are trying to crack its passwords offline, on their own computer.

Another possible use for cybercriminals is to combine the list with data from other breaches, such as combinations of usernames and passwords, which could get results if the password has been reused. If the cybercriminals also have a list that contains hashed passwords, they could even try to match the hash values of the passwords.

Having the actual password makes an attack a lot easier than when you’re trying a pass-the-hash attack, where an attacker tries to authenticate to a remote server or service by using the hash of a user’s password. However, this only works on services that are vulnerable to pass-the-hash attacks, instead of requiring the associated plaintext password as is normally the case.

To cut a long story short, if you don’t reuse passwords and never use “simple” passwords, like single words, then this release should not concern you. If you use multi-factor authentication (MFA), and you should everywhere you can, there’s also no reason to worry about this.

Check your digital footprint

Malwarebytes has a free tool for you to find out how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.


Summer mega sale

Go into your vacation knowing you’re much more secure: This summer you can get a huge 50% off a Malwarebytes Standard subscription or Malwarebytes Identity bundle. Run, don’t walk!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.