RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries
What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.
According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower - at 8,459,060,239 unique entries:
The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.
An example of leaked passwords included in the RockYou2021 compilation:
With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.
Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.
How to check if your password was leaked?
Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker.
Note: We take our readers' privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.
By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts.
Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if not billions.
What to do if your password was leaked?
If you suspect that one or more of your passwords may have been included in the RockYou2021.txt collection, we recommend taking the following steps in order to secure your data and avoid potential harm from threat actors:
- Use our personal data leak checker and leaked password checker to see if your data has been leaked in this or other breaches.
- If your data has been compromised, make sure to change your passwords across your online accounts.
- Enable two-factor authentication (2FA) on all of your online accounts.
- Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don’t click on anything that seems suspicious, including emails and texts from senders you don’t recognize.
- Consider using a good VPN service and antivirus together with a password manager for your online activities and password storage.
IT IS NOT the largest password collection at all. IT CAN'T BE.
either it is a fake or it is (likely) a machined version of the original rockyou instead
just as an example it CONTAINS ALL possible combination of 6 lowercase letters, which are 309 millions alone, (4% in the total), waaaay more than the actual input strings that humans would ever enter.
this collection is of NO PRACTICAL USE (for any serious attacker though...)
claims that the vast majority of the data here does not even contain passwords, but instead just wordlists from Wikipedia and other sources. Troy Hunt also says this should be ignored, it’s not a leak, and he isn’t including it in his database.
Also, is it true that this doesn’t even contain any new passwords? If that is true, then why are you guys calling it a new “leak”? It’s not even a leak if it’s just old information bundled together, right?
Very confused, hoping you can help! Greetings from Sweden
While it might seemingly hold water at first glance, the argument that rockyou2021.txt is just a scrape of words from Wikipedia and Gutenberg doesn’t necessarily imply that this is not password compilation. For example, if the word God is in Wikipedia, Gutenberg, and a password list – is it taken from the password list, or other sources? Plus, those sources make up only a small part of the collection, which includes other massive compilations of leaked passwords like COMB.
Most passwords we use can be found in any book or encyclopedia. In order to conclude definitively, one would need to do statistical analysis and to see whether the correlation is statistically significant to claim this.
Having the same password for everything is like having ONE key to open your house, your car, yoru old car that you sold years ago, you lockboxes, etc.
Imagine that you lost that key. or you gave it to someone when you sold the car. that person can track your other stuff and try the same key “May be this guy has the same key for everything…”
You have 2 options here. one is easy but you need to start redoing all the locks: Use a combination for your key. I mean, if you use the password “CoolGuy” for everything, now use CoolGuy[something]. For example, for facebook have “CoolGuyFB” then “CoolGuyTW” this will help when a data breach happens, that they cannot reuse your password for another account.
The second is to use 2FA, every main system supports 2fa. mostly via sms or an app running on your phone. The main problem is if you loose your phone and didn backed up the app or the secondary emergency codes.
This 2FA works like the lock box at the banks, you have your key, but to open the box you need a second key that a person will provide at the moment of opening.
When you log in on a new devices (or some times after 30 days time on same device) will ask your password and then a number or code that is generated for a short time on your phone (or texted to you by sms). and you need to enter that in that time window in order to get in.
Still people keep resending this SMS to CyberCriminal….
NEVER SHARE THAT CODE WITH ANYONE. Not your mom, not your dog, not your girlfriend (specially not her!).
You have a site where we enter our passwords to see if someone else has our passwords? Isn’t that problematic for anyone else?
Nobody knows what happens to that password you typed after the request leaves this website (even if it only targets cybernews.com)
here’s a simple explanation of how we protect your privacy when you’re using our tools to check your data for exposure. Hope this helps!
thanks for pointing that out! We investigated this issue and found that Quttera’s flagging on VirusTotal was a false positive. The issue has now been resolved, which you can see here.
Having it all in one place makes it much more convenient for the bad guys to perform dictionary and password spraying attacks, which makes it that much scarier.
Be cautious using your password on a ‘leak-site’, be careful not to follow a link from a phishing email claiming to help you check for leaks. There is a reason why experts tell you NEVER to share your PIN or PASSWORD with anyone. When in doubt, just change your password.
In the end, you gotta realize that all the websites you visit and apps you use gather as much information about you as they can. It’s your job to limit what they know.
Your email address will not be published. Required fields are marked