“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” researchers said
Credential stuffing attacks can be severely damaging for users and businesses. For example, a recent wave of attacks targeting Santander, Ticketmaster, Advance Auto Parts, QuoteWizard, and others was a direct result of credential stuffing attacks against the victims’ cloud service provider, Snowflake.
“Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset,” the team explained.
The RockYou2024 dataset is a massive compilation of passwords that attackers have developed by gathering data from various internet leaks. This dataset has been expanded by 1.5 billion passwords from 2021 to 2024, resulting in a 15% increase. Initially, the RockYou2021 compilation, which itself was an extension of a 2009 data breach, included tens of millions of passwords, primarily for social media accounts. However, the dataset has grown significantly since then, likely incorporating information from over 4,000 databases collected over more than twenty years.
The ten-billion-strong RockYou2024 compilation poses a significant threat to any system vulnerable to brute-force attacks. This includes a wide range of targets such as online and offline services, internet-facing cameras, and industrial hardware. “Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the team said.