The most significant password leak in history occurred on the Fourth of July. This leak, dubbed RockYou2024 by its original poster, “ObamaCare,” on a leading hacking forum, compiles 9,948,575,739 unique passwords into plain text. This is 9.9—almost 10 billion passwords that have been leaked, so we’re looking at an attack on a truly unprecedented scale here [h/t Cybernews].
...Right? Well, there are some caveats to this. Make no mistake: you should still take this seriously and change your passwords semi-frequently or use a secure password manager instead of cycling through a few different ones, depending on the service. Using 2FA (Two-Factor Authentication) or MFA (Multi-Factor Authentication) should also be a wise move in the right direction.
However, despite its historical scope, RockYou2024 is primarily a compilation of previous password leaks. It’s also built on a prior “RockYou2021” compilation with 8.4 billion passwords.
So, between RockYou2021 and RockYou2024, only about 1.5 billion more passwords were added to the list. According to hacker ObamaCare, at least some of these 1.5 billion passwords were newly cracked with the help of their RTX 4090, a tactic we’ve been warned about before.
Cybernews’ original coverage of these posts includes statements from its team on what to expect and do moving forward. The Cybernews team said, “Attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware. Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts.”
While Cybernews is probably correct about this, the fact this is primarily a compilation of already-existing leaks dating as early as 2021 does somewhat take from the impact of the 9.9 billion leaked passwords headline.
Users should still take the appropriate precautions since the list has been updated and maintained since 2021. Of course, cybersecurity is an ongoing battle, but at the risk of being contrarian, this is still mostly just a compilation of existing hackers’ work from database breaches that have already happened.
You will most likely be fine if you’ve been correctly practicing password management and/or rotation for over a year or before the original 2021 attack. It never hurts to be safe and secure your digital accounts a little more, though, especially in today’s digital age.