People are generating an increasing amount of data, and the most common way for many of them to protect that data, is by using a password.
This is why people's username and password combination can be extremely valuable, in which hackers and scammers can use to initiate attacks on those unsuspecting people.
And this time, a massive collection of passwords has been leaked online, after someone posted 8.4 billion password entries onto a popular hacker forum.
The 100GB text file that is dubbed the 'RockYou2021', contains passwords that range from 6 to 20 characters with non-ASCII characters and white spaces removed, and can easily be searched within the file.
Its name is a reference to the RockYou data breach in 2009 that exposed 32 million user passwords in a similar manner.
The leak was first spotted by cybersecurity news website CyberNews.
The report does not state how the poster received these passwords, and whether all of these password entries are real.
But what is certain is that, the database also contains leaked passwords from previous data leaks and breaches.
The report claims that It contains so many passwords because it tapped into a host of leaked databases from the past, including the Compilation of Many Breaches (COMB).
Due to the amount of passwords, RockYou2021 is easily considered the largest collection of leaked passwords ever until this time.
Based on this fact, it appears that the forum user has been quietly collecting leaked passwords over the years and storing them.
To get the idea of how big this database is, Troy Hunt tweeted:
Among other things, it contains “every word in the Wikipedia databases” and words from the Project Gutenberg free ebook collection: https://t.co/JE6elSwmUu
— Troy Hunt (@troyhunt) June 8, 2021
The potential damage that can be caused by this leak is huge.
By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the the collection to mount password dictionary and password spraying attacks.
And due to its sheer number of passwords, it's very likely that the data within can expose credentials that could include private login information for crucial services, like accounts on Google, Facebook, Apple, PayPal and more.
Since most people on the internet reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks caused by this leak can potentially reach millions, if not billions.