In a shocking revelation, 10 billion passwords have been exposed in what is being described as the largest leak ever. The compilation, dubbed ‘RockYou2024,’ was shared by a user named ‘ObamaCare’ on a popular hacking forum last Thursday.

This is not the first instance of ‘ObamaCare’ disseminating stolen data online. Previous leaks attributed to this user include an employee database from the law firm Simmons & Simmons, a lead from online casino AskGamblers, and applications for Rowan College at New Jersey.

According to researchers at Cybernews, who have analyzed the dataset, ‘RockYou2024’ was compiled over more than a decade and represents the third major dataset of its kind. The dataset includes a mix of newly-stolen and previously stolen passwords.

In 2021, a similar dataset named ‘RockYou2021’ was released, containing approximately 8.4 billion passwords. The latest dataset adds around 1.5 billion more passwords to this already massive collection. The 2021 dataset itself built upon another from 2009, which included “tens of millions of user passwords for social media accounts.”

The implications of such a massive leak are profound. Leaked passwords can be exploited in credential stuffing attacks and brute force attacks. Credential stuffing involves using passwords stolen from one account to gain access to others, relying on the common practice of users reusing passwords across different services. Brute force attacks involve systematically guessing passwords and other sign-in information through trial and error.

Cybernews researchers warn that the 10-billion-strong database could be used to target a wide range of services, from online platforms to internet-facing cameras and industrial hardware. When combined with other leaked databases containing user email addresses and other credentials, ‘RockYou2024’ could lead to a cascade of data breaches, financial frauds, and identity thefts.