RockYou2024 Leak Unleashes 10 Billion Passwords

The largest password compilation ever recorded, named RockYou2024, was recently leaked on a widely-known hacking forum. This compilation includes 9,948,575,739 unique plaintext passwords and was posted on July 4th by a user with the handle “ObamaCare.”

Experts suggest that the RockYou2024 collection comprises passwords from both historical and recent data breaches. Essentially, this leak exposes a vast number of real-world passwords used globally, significantly increasing the risk of credential stuffing attacks.

Credential stuffing attacks are a common tactic used by threat actors, relying on large compilations like RockYou2024 to compromise users’ accounts. These attacks involve using lists of compromised credentials to gain unauthorized access to user accounts across multiple services.

The RockYou2024 compilation builds upon the previous RockYou2021 collection, which surfaced in 2021 with 8.4 billion password entries. This earlier collection was likely compiled from various previous data leaks and breaches. The name “RockYou2021” refers to the infamous 2009 RockYou data breach, where attackers accessed over 32 million plaintext passwords from the social app website’s servers.

Between 2021 and 2024, the dataset has expanded by 15%, with an additional 1.5 billion passwords from various internet data leaks. The latest compilation is believed to contain data from more than 4,000 databases, gathered over more than two decades, tracing its origins back to the significant 2009 RockYou breach.