Hacker leaks nearly 10 billion passwords in biggest haul ever, says report

A hacker has leaked nearly 10 billion passwords in the biggest haul of all times, according to a report.

The leak is the latest of the large volume of hacked passwords and personal information leaked on the internet. Earlier this year, up to 12 terabytes of data was leaked online which contained nearly 26 billion digital records stolen from platforms like LinkedIn, Twitter, Weibo, and Tencent.

Now, Cyber News has reported that a user calling themselves ‘ObamaCare’ has leaked a total of 9,948,575,739 unique passwords in a dataset named ‘rockyou2024’ on a popular hacking forum on the internet. The dataset was posted on the forum on Thursday.

This is not the first time that ‘ObamaCare’ has posted stolen data on the internet. Previously, the report said the user has shared employee database from the law firm Simmons & Simmons, a lead from online casino AskGamblers, and applications for Rowan College at New Jersey.

‘RockYou2024’ dataset compiled over many years, says report

The researchers at Cyber News, who studied the dataset, said that it was compiled for more than 10 years and the dataset released this week is the third such dataset.

The ‘RockYou2024’ dataset is the compilation of several newly-stolen passwords and many previously stolen, said researchers quoted in the report.

In 2021, a dataset named ‘RockYou2021’ was released that had around 8.4 billion stolen passwords. The dataset released this week has added around 1.5 billion more passwords to this database.

In turn, the dataset uploaded in 2021 was built upon another dataset released in 2009 that had “tens of millions user passwords for social media accounts”, according to the report.

How can such leaks harm you?

Passwords leaked in such datasets can be used to mount credential stuffing attacks and brute force attacks.

Credential stuffing attacks refer to the criminals’ practice of using password stolen from one device or account to gain access to another device or account. The premise is that users often use a common password across different accounts and devices, so criminals rely on such passwords to access other or all of the users’ accounts.

A brute force attack refers to criminals employing a trial-and-error approach to systematically guess sign-in information, passwords, and encryption keys.

Cyber News researchers said that the 10-billion-strong database can be used to target everything from online to offline services to internet-facing cameras and industrial hardware.

“Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” said the Cyber News researchers.