Is this the biggest password leak ever uncovered? Researchers claim nearly 10 billion credentials under threat — here's what we know so far

Shadowed hands on a digital background reaching for a login prompt.
Image Credit: Shutterstock (Image credit: Shutterstock)

Researchers claim to have uncovered what appears to be the biggest password cache ever uncovered, with 9,948,575,739 unique plaintext passwords inside.

The file, titled ‘rockyou2024.txt’ contains passwords stolen in a mix of old and new attacks, making the file a brute force attackers’ dream.

“In its essence, the RockYou2024 leak is a compilation of real-world passwords used by individuals all over the world. Revealing that many passwords for threat actors substantially heightens the risk of credential stuffing attacks,” Cybernews researchers say.

Reader Offer: Save up to 70% on Aura identity theft protection

Reader Offer: Save up to 70% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

 Preferred partner (What does this mean?) 

Brute forcing and credential stuffing treasure trove

The .txt file was posted on July 4 by a user with the handle 'ObamaCare', who has shared leaked passwords from a number of sources since registering in May 2024.

Speaking on the potential dangers of the password leak, the research team said, “Threat actors could exploit the RockYou2024 password compilation to conduct brute-force attacks and gain unauthorized access to various online accounts used by individuals who employ passwords included in the dataset.”

The passwords are compiled from a number of data breaches spanning two decades, with 1.5 billion passwords added to the file from 2021 to 2024.

Cybernews

Image credit: Cybernews (Image credit: Cybernews)

Brute forcing is an attacking technique used by hackers to breach accounts by using combinations of usernames and passwords until successful entry is gained. By automating the process, an attacker can try potentially millions of passwords with ease. A system unprotected against brute-force attacks could quickly succumb to an attacker using this password database.

Similarly to this, the file could also be especially useful for an attacker using a technique called credential stuffing. Using a database of stolen passwords, particularly those stolen from the target organization, an attacker would have a much higher chance of success in breaching a user account. Both online and offline services are at risk, as well as internet facing cameras and industrial hardware, the report says.

Cybernews

Image credit: Cybernews (Image credit: Cybernews)

“Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts,” the research team added.

In order to protect yourself or your organization from a potential attack using this 10 billion strong credential file, the researchers recommend implementing mitigation strategies and checking credentials against the Leaked Password Checker. It may also be worth checking out the best identity theft protection.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
ransomware avast
Billions of credentials were stolen from businesses around the world in 2024
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
No broadband network
Massive online data breach sees 2.7 billion records leaked - here's what we know
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Security padlock and circuit board to protect data
Foh&Boh data leak leaves millions of CVs exposed - KFS, Taco Bell, Nordstrom applicants at risk
Latest in Pro
An image of network security icons for a network encircling a digital blue earth.
Why multi-CDNs are going to shake up 2025
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Millwall FC The Den
The UK's first football club mobile network is here - but you probably won't guess which team has launched it
A person using a smartphone with a cybersecurity lock symbol appearing over it.
The growing threat of device code phishing and how to defend against It
Latest in News
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Pixel Buds Pro 2
Cleaned your Pixel Buds Pro 2 recently? If not, you might be getting worse sound
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI