A record 10 billion passwords were just posted to a popular hacking forum

Why it matters: Experts say passwords cannot guarantee online security, yet they remain the primary pillar of most people's digital protection. That is why the recent posting of a database containing nearly 10 billion unique plaintext passwords has raised alarms in security circles. Here are some tips to determine if your password is among them and how to shore up your defenses.

Last week, a user going by the handle "ObamaCare" posted what cybersecurity experts believe to be the largest compilation of passwords ever posted to a hacking forum. The file, titled rockyou2024.txt, contains 9,948,575,739 unique plaintext passwords. ObamaCare has a history of leaking data, including an employee database from the law firm Simmons & Simmons, a lead from an online casino AskGamblers, and student applications for Rowan College at Burlington County.

"Xmas came early this year," ObamaCare wrote on the forum. "I present to you a new rockyou2024 password list with over 9.9 billion passwords!"

Cybernews determined that these passwords came from old and new data breaches built on a prior "RockYou2021" compilation with 8.4 billion passwords. A net of 1.5 billion sets of credentials certainly lessens the dump's impact. However, 1.5 billion is still a massive number of passwords at risk, so experts are correct in warning this database can be a potent tool for hackers.

According to Verizon's 2021 Data Breach Investigations Report, 61 percent of breaches stem from leveraged credentials. Google Cloud's 2023 Threat Horizons Report puts that share even higher, finding that 86 percent of breaches involve stolen passwords. Both online and offline services, as well as internet-facing cameras and industrial hardware, are at risk. Worse yet, RockYou2024 could facilitate a wave of data breaches, financial fraud, and identity theft when combined with other leaked databases containing email addresses and credentials.

Cybernews has an online tool to help users check for compromised passwords. The Leaked Password Checker allows anybody to enter their password to see if it appears in any known breaches, including RockYou2024. Alternatively, Have I Been Pwned has a similar lookup tool to check if your email address or password has been part of a data breach.

If your password is compromised, change it immediately and create a separate one for each account. Other security tips that bear repeating include enabling multi-factor authentication, which requires additional verification beyond just a password, and using a password manager. These tools can generate and store complex passwords for you, reducing the risk of password reuse.

Permalink to story:

A record 10 billion passwords were just posted to a popular hacking forum

Well there was a time when I remembered my passes, now all of them are 32 chars or more long and stored in a manager.
Does your manager checks for compromised passes?

Your password will ALWAYS get compromised eventually. The reason for this is that the company/website you are a part of will eventually get hacked and its DB will be leaked…

Password complexity only protects (slightly) against a brute force hacker - which is rarer and rarer these days. If they’re using one of these leaked pw dumps, the complexity of your password is irrelevant.

Using a password manager only exacerbates the problem - as THEY can be hacked and their database leak will now contain ALL of your accounts/passwords conveniently in one place for the hacker!

Enable 2fa in everything you can - that is the best protection, which, while not perfect, will at least protect you from most hacking attempts.