10 Billion Passwords Leaked. Why It Doesn’t Matter If You’re Doing Security Right
Another week, another password dump. This time it’s RockYou2024, a plain-text file containing nearly 10 billion passwords, stitched together from thousands of breaches going back over two decades. It’s being called the largest leak of its kind.
That sounds dramatic but let’s not overstate it. If you’re securing access properly, it doesn’t really matter.
This isn’t a new breach of live systems. It’s a rehash. Big, yes, but full of credentials that attackers have already had access to for years. That doesn’t mean it’s harmless—credential stuffing and brute-force attacks remain common – but it does mean it’s predictable. And predictable threats can be defended against.
If you’ve enforced multi-factor authentication, particularly for internet-facing systems, a list like RockYou2024 loses its bite. Passwords alone stopped being enough a long time ago. The right second factor -ideally phishing-resistant—makes even the most expansive password dump irrelevant.
At Ontinue, we work with organisations to strengthen this exact point of failure. Through our SPI program, we focus on Security Posture Improvement a structured approach to hardening environments against known threats. That includes identifying where MFA isn’t enforced, where legacy applications are creating risk, and where attackers might be quietly testing exposed credentials.
The value of SPI is in making sure threats like RockYou2024 don’t cause alarm because the right defences are already in place. And if they’re not, SPI helps close the gaps quickly, before they’re exploited.
Password leaks aren’t going away. But they don’t have to matter – if you’ve already made them obsolete.
Craig Jones
Vice President, Security Operations
Craig Jones oversees Ontinue’s global network of Security Operations Centers (SOCs) as Vice President of Security Operations. His role includes managing and optimizing the teams responsible for security monitoring, incident response, and threat detection across the company’s four SOCs. Before joining Ontinue, Craig spent eight years at Sophos, where he rose to Senior Director of Global Security Operations. At Sophos, Craig was responsible for the operational aspects of the company’s worldwide security program, ensuring that the organization’s global security infrastructure was robust and scalable.
Craig is a well-regarded expert in the field of cybersecurity, holding certifications such as GCIH and CISSP. He is actively involved in the cybersecurity community, volunteering as director of BSides Cymru/Wales since 2019 and frequently speaking at industry events. His thought leadership covers topics like incident response, SOC automation, threat intelligence, and SIEM. Craig earned a bachelor’s degree in Information Technology from the University of South Wales.
