In 2023, the RockYou2023 contained over 8 billion passwords. This week, an additional 2 billion unique entries have been added to this list and dubbed RockYou2024.

Discovery and Initial Findings

The breach was identified by CyberNews, who identified a user under the pseudonym “ObamaCare” who uploaded the file. The leaked data appeared in a dump on underground forums, prompting immediate action by the researchers.

It has been identified that there is a match between sample data leaks and the passwords contained in this new list, confirming that this list is in fact made up of legitimate data

“Xmas came early this year,” posted user “ObamaCare” on the forum.

Impact on Users and Organizations

This list represents a large volume of passwords that are in active use. Additionally, organizations should be aware of brute-force and most likely updated attempts at password spraying with this new password list. Users with weak passwords and without further protections will continue to fall victim to drive-by attacks.

One of the largest benefits of lists like this are the frequency of commonly used passwords, allowing a threat actor to have a greater success rate with fewer passwords. Recent high use passwords typically use formats such as “seasonYear” eg. Summer2024.

Recommendations for Staying Protected and Moving Forward

Organizations who have not yet implemented multi-factored authentication (MFA) or other identity protection measures are at an increased risk of compromise as a result of this updated list.

Ensuring strong passwords are in use and haven’t been reused throughout the organization is critical, and equally important is implementing MFA to prevent success.