Danny's Newsletter

Share this post

Danny's Newsletter
Danny's Newsletter
We Will Rock You: RockYou2024
Copy link
Facebook
Email
Notes
More

We Will Rock You: RockYou2024

Danny
Jul 11, 2024

Share this post

Danny's Newsletter
Danny's Newsletter
We Will Rock You: RockYou2024
Copy link
Facebook
Email
Notes
More
Share

To what some are calling the biggest data leak of all time. All time? All time.

10 Billion credentials, or 9,948,575,739 unique plaintext passwords to be exact were leaked in what is being called RockYou2024. This was first posted on a prominent hacking forum.

If you’re wondering where it gets the name, this is due to previous similar data leaks resulting in password lists that take this name. For example, something like rockyou2024.txt. This naming convention started in 2009, because of a company named Rockyou and has carried forward to today. See this blog post, for more context.

Credential stuffing attacks ensue as a result of leaks such as this. Known targets have already included Ticketmaster and Santander. But let’s take a look at the full picture when it comes to Rockyou2024.

For context on the numbers for this, here are some of the most notable leaks and breaches in recent years.

Adobe: 153 million records

Equifax: 147.9 million records

Facebook: 540 million records

LinkedIn: 164 million records

Marriott International: 500 million records

Target: 110 million records

Sony: 77 million records

Yahoo: 3 billion records

The Good News

Due to the sheer size of this dataset, it sounds very alarming. However, this is a combination of previously leaked password (a alrge amount from 2021), and new ones.

This means if users have since changed their passwords, they are not affected. According to researchers at Specops “it’s simply too much low-quality data to successfully use in attacks”. But it sure did catch people’s attention.

Let’s take a look at the use cases in which this list could be used by attackers.

Brute Force Attack

This is what it sounds like, where an attacker simply tried every password possible from the list to get into an account.

In practice, this is limited as modern websites and applications will lockout. This would only work if an attacker has a database leak in their possession, then utilizes the leaked password list to crack the passwords offline.

To defend against this class of attack, use passphrases instead of simple passwords and use two-factor authentication.

Here’s MITRE’s Documentation on Brute Force Attacks.
https://attack.mitre.org/techniques/T1110/

Credential Stuffing

As mentioned earlier, Credential Stuffing is the other mechanism in which this list could be of use to attackers.

In practice, attackers will use these username and password pairs on targeted sites, in hopes that users are re-using passwords in different places. This is also limited to any lockout policies.

To defend against this class of attack, don’t re-use passwords (however you have to do this) and once again two-factor authentication.

If your credentials were part of a data leak, change those ASAP. You can use HaveIBeenPwned for this.

Here’s MITRE’s Documentation on Credential Stuffing

https://attack.mitre.org/techniques/T1110/004/

Conclusion

In the end, if you have MFA enabled (which you definitely should), rely on passphrases instead of passwords, and passwordless when available, you don’t much to worry about in this latest data leak.

On to the next one.

Thanks for reading my Newsletter! Subscribe (free) to receive new posts & support my work.

Share this post

Danny's Newsletter
Danny's Newsletter
We Will Rock You: RockYou2024
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Danny
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More