Security researchers have issued a warning about one of the largest databases of leaked passwords that has emerged online, Forbes reported.
The database, a text file named “RockYou2024,” contains an astonishing 9,948,575,739 unique passwords stored in plain text and was posted on a forum popular with hackers at the end of last week.
According to CyberNews experts, this massive collection of stolen passwords could lead to a wave of data breaches, financial fraud, and identity theft, GB News reported.
The database appears to be a mix of old and new data breaches.
“In essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing this many passwords to threat actors substantially heightens the risk of credential stuffing attacks,” researchers said.
Credential stuffing is a common method hackers use to gain unauthorized access to multiple sites by using stolen login credentials from one site.
Re-using the same login information across multiple platforms makes individuals vulnerable to this type of cyber-attack.
The team at CyberNews cautioned: “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset.”
RockYou2024.txt builds on an earlier leak, RockYou2021.txt, a text file shared by hackers online three years ago.
How to protect against credential stuffing:
Immediately reset passwords for all accounts that use a password included in the database.
Create a unique alpha-numeric password for each online account.
Enable multi-factor authentication, such as a one-time code sent to your phone, to protect accounts. Use a password manager to store and manage complex passwords.
Use tools to check whether your details have been breached.
If your password has eight or fewer characters, it could be cracked in just 17 seconds, researchers found.
The breach highlights the importance of special characters, as most of the leaked passwords were either all lowercase or uppercase English letters with a few numerical digits.