{"id":131684,"date":"2024-07-08T16:14:07","date_gmt":"2024-07-08T20:14:07","guid":{"rendered":"https:\/\/rbach.net\/?p=131684"},"modified":"2024-07-08T16:14:07","modified_gmt":"2024-07-08T20:14:07","slug":"massive-data-leak-exposes-10-billion-unencrypted-passwords","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/massive-data-leak-exposes-10-billion-unencrypted-passwords\/","title":{"rendered":"Massive Data Leak Exposes 10 Billion Unencrypted Passwords"},"content":{"rendered":"\r\n<p><a href=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?ssl=1\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-131734\" title=\"Massive Data Leak Exposes 10 Billion Unencrypted Passwords\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?resize=125%2C125&#038;ssl=1\" alt=\"Massive Data Leak Exposes 10 Billion Unencrypted Passwords\" width=\"125\" height=\"125\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?resize=75%2C75&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?resize=768%2C768&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?w=1024&amp;ssl=1 1024w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/A-massive-explosion-with-passwords-on-a-white-background-with-a-digital-glitch-effect-look-1.jpg?w=960&amp;ssl=1 960w\" sizes=\"auto, (max-width: 125px) 100vw, 125px\" \/><\/a>On July 4, 2024, a <strong>record-setting data leak<\/strong> occurred. &#8220;<a title=\"Cybernews\" href=\"https:\/\/cybernews.com\" target=\"_blank\" rel=\"nofollow noopener\">Cybernews&#8221;<\/a> <a title=\"RockYou2024: 10 billion passwords leaked in the largest compilation of all time\" href=\"https:\/\/cybernews.com\/security\/rockyou2024-largest-password-compilation-leak\/\" target=\"_blank\" rel=\"nofollow noopener\">reports<\/a> that nearly<strong> 10 billion unique passwords<\/strong> were posted to the dark-web. The staggering <a title=\"Check Your Accounts: 10 Billion Passwords Exposed in Largest Leak Ever\" href=\"https:\/\/www.pcmag.com\/news\/rockyou2024-10-billion-passwords-exposed-largest-leak-ever\" target=\"_blank\" rel=\"nofollow noopener\">9,948,575,739<\/a> unique passwords are a mix of old and new data breaches. Listed in a hacker forum as <strong>rockyou2024.txt<\/strong>, these passwords were in plaintext. &#8216;Plaintext&#8217; means that these passwords are not encrypted &#8211; they are actual passwords, released in a text file.<\/p>\r\n<p><a href=\"https:\/\/webmaster-success.com\/4-things-i-would-never-do-to-get-traffic-to-my-blog\/\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-131739\" title=\"updated the older file with 1.5 billion passwords\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Work-in-progress-e1720468712692-150x94.png?resize=89%2C56&#038;ssl=1\" alt=\"updated the older file with 1.5 billion passwords\" width=\"89\" height=\"56\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Work-in-progress-e1720468712692.png?resize=150%2C94&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Work-in-progress-e1720468712692.png?resize=75%2C47&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Work-in-progress-e1720468712692.png?w=300&amp;ssl=1 300w\" sizes=\"auto, (max-width: 89px) 100vw, 89px\" \/><\/a>According to the hacker, the new release is based on RockYou2021&#8217;s 8.4 billion records from 2021.\u00a0Specifically, the hacker updated the older file with 1.5 billion passwords obtained between 2021 and 2024. &#8220;Cybernews&#8221; explains that the RockYou2021 compilation was an expansion of a data leak from a 2009 leak which included tens of millions of user passwords for social media accounts.<\/p>\r\n<p>The hacker posted\u00a0 <em>&#8220;I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.<\/em>&#8221; Estimates suggest that the RockYou2024 file contains entries from 4,000 large databases of stolen credentials, spanning at least 20 years.<\/p>\r\n<h3>Data leak can target any system<\/h3>\r\n<p><a href=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Hacker3-e1720465037882.jpg?ssl=1\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-131735\" title=\"data leak can target any system\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/Hacker3-e1720465037882-150x101.jpg?resize=90%2C61&#038;ssl=1\" alt=\"data leak can target any system\" width=\"90\" height=\"61\" \/><\/a>Importantly, this data leak can target any system. The author believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn\u2019t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.<\/p>\r\n<p>&#8220;Cybernews&#8221; describes the RockYou2024 data leak file as &#8220;<em>a mix of old and new data breaches<\/em>,&#8221; indicating it may not be a new breach of 10 billion passwords. Nonetheless, compiling all these passwords into one massive, searchable database, they warn, &#8220;<em>substantially heightens the risk of <strong>credential stuffing attacks.<\/strong><\/em>&#8220;<\/p>\r\n<h3>Data breach enables attacks<\/h3>\r\n<p><a href=\"https:\/\/www.ckd3.com\/blog\/credentialstuffing\" target=\"_blank\" rel=\"noopener\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-131737\" title=\"How Attackers Access Your Accounts Using Credential Stuffing\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/My-first-design-2.png?resize=90%2C67&#038;ssl=1\" alt=\"How Attackers Access Your Accounts Using Credential Stuffing\" width=\"90\" height=\"67\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/My-first-design-2.png?resize=150%2C111&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/My-first-design-2.png?resize=75%2C56&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/My-first-design-2.png?resize=768%2C569&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/My-first-design-2.png?w=954&amp;ssl=1 954w\" sizes=\"auto, (max-width: 90px) 100vw, 90px\" \/><\/a>Credential stuffing occurs when hackers use automated scripts to try various combinations of stolen usernames and passwords from different data breaches to hijack people\u2019s accounts. For instance, someone might use a password obtained from <a title=\"Data Dump Allegedly Tied to 70 Million AT&amp;T Customers Leaks Online\" href=\"https:\/\/www.pcmag.com\/news\/data-dump-allegedly-tied-to-70-million-att-customers-leaks-online\" target=\"_blank\" rel=\"nofollow noopener\">the AT&amp;T breach<\/a> to see if you use the same password for your bank account.<\/p>\r\n<p>To check if your passwords are compromised, visit these websites:<\/p>\r\n<ul>\r\n<li><a title=\"Has your password leaked?\" href=\"https:\/\/cybernews.com\/password-leak-check\/\" target=\"_blank\" rel=\"nofollow noopener\">Cybernews,<\/a><\/li>\r\n<li><a title=\"HaveIBeenPwnd\" href=\"https:\/\/haveibeenpwned.com\/\" target=\"_blank\" rel=\"nofollow noopener\">HaveIBeenPwnd.<\/a><\/li>\r\n<\/ul>\r\n<h3><em>RB-<\/em><\/h3>\r\n<p><em>The RockYou2024 data leak list is new, so at the time of this writing, it&#8217;s unclear if any private data has been compromised as a direct result of this compilation. Anyone using online services should assume their passwords could be on this list.<br \/><\/em><\/p>\r\n<p><em>In the meantime, don\u2019t freakout about RockYou2024. Experts recommend:<\/em><\/p>\r\n<ol>\r\n<li>Continue your activities while adhering to <em><a title=\"How to Create a Strong Password: Tips\" href=\"https:\/\/vpnoverview.com\/wp-content\/uploads\/infographic-tips-to-create-strong-and-safe-passwords.png\" target=\"_blank\" rel=\"nofollow noopener\">password best practices<\/a><\/em>, such as regularly changing passwords.<\/li>\r\n<li><em>Set up a password manager.<\/em><\/li>\r\n<li><em>Enable MFA wherever possible.<\/em><\/li>\r\n<\/ol>\r\n<p><strong>Related article<\/strong><\/p>\r\n<ul>\r\n<li><a title=\"Data Breaches That Have Happened in 2022, 2023 and 2024 So Far\" href=\"https:\/\/tech.co\/news\/data-breaches-updated-list\" target=\"_blank\" rel=\"nofollow noopener\">Data Breaches That Have Happened in 2022, 2023 and 2024 So Far<\/a>\u00a0 (<a title=\"Tech.co\" href=\"https:\/\/tech.co\" target=\"_blank\" rel=\"nofollow noopener\">Tech.co<\/a>)<\/li>\r\n<\/ul>\r\n<p><em><a title=\"Ralph Bach\" href=\"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener\">Ralph Bach<\/a> has been in IT for a while and has blogged from the <a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener\">Bach Seat<\/a> about IT, careers, and anything else that has caught my attention since 2005. You can follow me on <a title=\"Facebook\" href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>. Email the Bach Seat <a title=\"Email Bach Seat\" href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/em><\/p>\r\n","protected":false},"excerpt":{"rendered":"<p>A data leak of nearly 10 billion unique passwords was posted to the dark web which substantially heightens the risk of credential stuffing attacks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[3719,125,3387,2541,4],"class_list":["post-131684","post","type-post","status-publish","format-standard","hentry","tag-3719","tag-data-breach","tag-data-leak","tag-passwords","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/131684","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=131684"}],"version-history":[{"count":12,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/131684\/revisions"}],"predecessor-version":[{"id":131742,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/131684\/revisions\/131742"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=131684"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=131684"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=131684"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}