The database, which is a text file called “RockYou2024”, contains a staggering 9,948,575,739 unique passwords stored in plain text and was posted on a forum popular with hackers late last week.
The database appears to be a mix of old and new data leaks.
“At its core, the RockYou2024 leak is a compilation of real passwords used by individuals around the world. Revealing that many passwords to threat actors substantially increases the risk of credential stuffing attacks,” the researchers said.
Credential stuffing is a prevalent method by which hackers use stolen credentials from one site to gain unauthorized access to another.
Reusing the same credentials across multiple platforms can leave individuals vulnerable to this type of cyber attack.
The team at CyberNews warned: “Threat actors could exploit the RockYou2024 password compilation to perform brute-force attacks and gain unauthorized access to various online accounts used by individuals using the passwords contained in the dataset.”
How to protect against credential stuffing?
For those looking to protect against credential stuffing or other types of post-breach attacks, the CyberNews team advises:
Immediately reset passwords for all accounts that rely on the password contained in the database.
Create a unique alphanumeric password for each online account.
To protect your accounts, enable multi-factor authentication, such as a one-time code sent to your phone number.
Use the tools to check if your data has been breached.
If your password is eight characters or less, it could be cracked in just 17 seconds, researchers have found.
The breach highlights the importance of special characters, as most of the leaked passwords were either lowercase or uppercase English letters with a few digits.