Hackers leaked nearly 10 billion stolen passwords on a forum

Recent reports indicate that approximately 10 billion stolen passwords were leaked onto a hacker forum. A total of 9,948,575,739 unique, plaintext passwords were uploaded to the forum on July 4, 2024 under the file name rockyou2024.txt. It is suspected that this compilation is an extension of a previous database of credentials, incorporating roughly 1.5 billion new passwords into the mix.

Given the large number of exposed passwords, individuals or organizations that frequently reuse passwords could be vulnerable. Chris Bates, CISO at SandboxAQ, advises, “Companies should operate under the assumption that all passwords have been compromised and implement appropriate mitigating controls. This includes phishing-resistant MFA, passwordless authentication, and behavior-based detection and response programs to identify malicious activities.”

Some researchers have questioned the significance of the data added via rockyou2024.txt, suggesting that a portion of the information may be of little use to malicious actors. Nonetheless, it is recommended that individuals and organizations enhance their security practices now and in the future.

“It is crucial for organizations to establish and enforce strict password policies, educate users about the dangers of password reuse, and implement widespread adoption of multifactor authentication,” advises Dr. Marc Manzano, General Manager of Cybersecurity at SandboxAQ. “Furthermore, bolstering overall IT systems security through the deployment of modern cryptography management platforms will be key in safeguarding against large-scale threats involving stolen passwords.”