RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

What seems to be the largest password collection of all time has been leaked on a popular hacker forum. A forum user posted a massive 100GB TXT file that contains 8.4 billion entries of passwords, which have presumably been combined from previous data leaks and breaches.

According to the post author, all passwords included in the leak are 6-20 characters long, with non-ASCII characters and white spaces removed. The same user also claims that the compilation contains 82 billion passwords. However, after running our own tests, the actual number turned out to be nearly ten times lower - at 8,459,060,239 unique entries:


The compilation itself has been dubbed ‘RockYou2021’ by the forum user, presumably in reference to the infamous RockYou data breach that occurred in 2009 and rockyou2021.txt filename containing all passwords, when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.

An example of leaked passwords included in the RockYou2021 compilation:

rockyou2021.txt sample password's list

With a collection that exceeds its 12-year-old namesake by more than 262 times, this leak is comparable to the Compilation of Many Breaches (COMB), the largest data breach compilation ever. Its 3.2 billion leaked passwords, along with passwords from multiple other leaked databases, are included in the RockYou2021 compilation that has been amassed by the person behind this collection over several years.

Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over. For that reason, users are recommended to immediately check if their passwords were included in the leak.

How to check if your password was leaked?

Updated on 10/06: We have now uploaded nearly 7.9 billion out of 8.4 billion entries in the RockYou2021 password list to our leak databases. To safely check whether your password is part of this gigantic leak, make sure to head over to the CyberNews personal data leak checker.

Note: We take our readers' privacy extremely seriously. To protect your privacy and security, the data that you enter in the search field is hashed, and we use only this hash to perform a search in our database. We do not collect entered emails or passwords, nothing is logged when you perform a leak check.

Potential impact

By combining 8.4 billion unique password variations with other breach compilations that include usernames and email addresses, threat actors can use the RockYou2021 collection to mount password dictionary and password spraying attacks against untold numbers of online accounts.

Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if not billions.

What to do if your password was leaked?

If you suspect that one or more of your passwords may have been included in the RockYou2021.txt collection, we recommend taking the following steps in order to secure your data and avoid potential harm from threat actors:

  • Use our personal data leak checker and leaked password checker to see if your data has been leaked in this or other breaches.
  • If your data has been compromised, make sure to change your passwords across your online accounts.
  • Enable two-factor authentication (2FA) on all of your online accounts.
  • Watch out for incoming spam emails, unsolicited texts, and phishing messages. Don’t click on anything that seems suspicious, including emails and texts from senders you don’t recognize.
  • Consider using a good VPN service and antivirus together with a password manager for your online activities and password storage.
  • Consider removing your personal data from databases with services like Incogni, it will help you to ensure that your data stays off the market.


prefix 2 years ago
I just had some statistical analisis on rockyou2021
IT IS NOT the largest password collection at all. IT CAN'T BE.
either it is a fake or it is (likely) a machined version of the original rockyou instead
just as an example it CONTAINS ALL possible combination of 6 lowercase letters, which are 309 millions alone, (4% in the total), waaaay more than the actual input strings that humans would ever enter.
this collection is of NO PRACTICAL USE (for any serious attacker though...)
prefix 3 years ago
Hey guys, great work here! Just a question for Edvardas. This article:

claims that the vast majority of the data here does not even contain passwords, but instead just wordlists from Wikipedia and other sources. Troy Hunt also says this should be ignored, it’s not a leak, and he isn’t including it in his database.

Also, is it true that this doesn’t even contain any new passwords? If that is true, then why are you guys calling it a new “leak”? It’s not even a leak if it’s just old information bundled together, right?

Very confused, hoping you can help! Greetings from Sweden
Edvardas Mikalauskas
prefix 3 years ago
Hi Oksana, thanks for your question!

While it might seemingly hold water at first glance, the argument that rockyou2021.txt is just a scrape of words from Wikipedia and Gutenberg doesn’t necessarily imply that this is not password compilation. For example, if the word God is in Wikipedia, Gutenberg, and a password list – is it taken from the password list, or other sources? Plus, those sources make up only a small part of the collection, which includes other massive compilations of leaked passwords like COMB.

Most passwords we use can be found in any book or encyclopedia. In order to conclude definitively, one would need to do statistical analysis and to see whether the correlation is statistically significant to claim this.
prefix 3 years ago
Use 2-factor authentication where you can. Use a password manager everywhere so you can have strong, unique passwords for every web site that you register with. This isn’t difficult, but it does take a day’s worth of effort.
Joseph D. Maggio
prefix 3 years ago
¿What sites were involved?
prefix 3 years ago
Lets do the Key analogy.
Having the same password for everything is like having ONE key to open your house, your car, yoru old car that you sold years ago, you lockboxes, etc.

Imagine that you lost that key. or you gave it to someone when you sold the car. that person can track your other stuff and try the same key “May be this guy has the same key for everything…”

You have 2 options here. one is easy but you need to start redoing all the locks: Use a combination for your key. I mean, if you use the password “CoolGuy” for everything, now use CoolGuy[something]. For example, for facebook have “CoolGuyFB” then “CoolGuyTW” this will help when a data breach happens, that they cannot reuse your password for another account.

The second is to use 2FA, every main system supports 2fa. mostly via sms or an app running on your phone. The main problem is if you loose your phone and didn backed up the app or the secondary emergency codes.

This 2FA works like the lock box at the banks, you have your key, but to open the box you need a second key that a person will provide at the moment of opening.

When you log in on a new devices (or some times after 30 days time on same device) will ask your password and then a number or code that is generated for a short time on your phone (or texted to you by sms). and you need to enter that in that time window in order to get in.

Still people keep resending this SMS to CyberCriminal….

NEVER SHARE THAT CODE WITH ANYONE. Not your mom, not your dog, not your girlfriend (specially not her!).
prefix 3 years ago
Hmmmm … Does the “leak password checker” safe ? :))
no one
prefix 3 years ago
pretty suspicious since there is an “email checker” and a separate “password checker”, those inputs could be easily joined together lol
no one
prefix 3 years ago
Wheres the download link at? :\
Yes One
prefix 3 years ago
If you need to ask for the link, you definitely don’t need the list.
prefix 3 years ago
Dagg Nabbit
prefix 3 years ago
I have 159 accounts and passwords listed in a 16-page document. I switched to a password manager but I’ve only put in about 60 accounts into it so far. I think it’s time to start closing out accounts.
Xi Xao
prefix 3 years ago
Richard Spieker
prefix 3 years ago
Why is this news now? This was leaked back in April.
prefix 3 years ago
Is it possible to have the forum’s name please ?
prefix 3 years ago
I’m a little confused by this…

You have a site where we enter our passwords to see if someone else has our passwords? Isn’t that problematic for anyone else?
prefix 3 years ago
The way that it works (at least, for haveibeenpwned, I believe), is that your password is hashed client side, then that hash is sent to the website’s server, which compares that hash with a hash of every other password in the database, and sees if the hash matches that of another password?
prefix 3 years ago
My thoughts exactly
prefix 3 years ago
More than bit scary.
Zuber the best noob tech hacker
prefix 3 years ago
that is the have i been pwned site:
prefix 3 years ago
Was about to comment exactly that! +1
Nobody knows what happens to that password you typed after the request leaves this website (even if it only targets
Edvardas Mikalauskas
prefix 3 years ago
Hi there,

here’s a simple explanation of how we protect your privacy when you’re using our tools to check your data for exposure. Hope this helps!
prefix 3 years ago
I would rather that my password did not display on my device when entered into the check box.
prefix 3 years ago
So, this website itself has comeback as malicious (put into VirusTotal search engine) how can I trust your content?
Edvardas Mikalauskas
prefix 3 years ago
Hi Jack,

thanks for pointing that out! We investigated this issue and found that Quttera’s flagging on VirusTotal was a false positive. The issue has now been resolved, which you can see here.
prefix 3 years ago
Can it be a compilation of already existing leaks ?
Edvardas Mikalauskas
prefix 3 years ago
Hi Colton, you’re exactly right. RockYou2021 is a compilation of compromised passwords from previous leaks, amassed in one massive database for the threat actors’ convenience.

Having it all in one place makes it much more convenient for the bad guys to perform dictionary and password spraying attacks, which makes it that much scarier.
prefix 3 years ago
Why do people refer to them as “bad actors”?
prefix 3 years ago
2021 still surprises me, whats next? The best way is to change your passwords every week , and keep them stored in a notebook.Your leak checker and haveibeenpwned showed, that i’m not affected by this one.
prefix 3 years ago
every week ? wtf i have like 50 diff account, i can’t
prefix 3 years ago
I’m talking about personal more. I don’t like the idea of e-mail password being leaked , where i keep all my bills and other important data
prefix 3 years ago
prefix 3 years ago
Dustin, that is not considered best-practice. Best is to go for a password manager using complex and long passwords, like 20+ characters. If you don’t have a password manager it is best practice to follow the principles of passphrases; a collection of multiple words that are not linked to each other (so don’t use “Ilovetheblueocean” or something similar). Instead select the words that have a meaning to you, but not necessarily to an outsider; “Love4TomatoesonSpain” if you happen to be a fan of tomatoes and your best holiday ever was to Spain. FYI: just an example.
Be cautious using your password on a ‘leak-site’, be careful not to follow a link from a phishing email claiming to help you check for leaks. There is a reason why experts tell you NEVER to share your PIN or PASSWORD with anyone. When in doubt, just change your password.
prefix 3 years ago
Check out bitwarden, use different passwords for different sites, choose longer and more complex ones – special characters greatly increase your security. Whenever possible use two factor authentication. Don’t register on shady forums or sites with your credentials, there are services like anonaddy that generates random mail alias that will be used to redirect all messages to you – but the site you register on won’t ultimately know your email. Use throwaway mails for unimportant things – i can recommend nada mail, since you can add certain inboxes for longer periods of time – it isn’t the typical 10 minute mail.

In the end, you gotta realize that all the websites you visit and apps you use gather as much information about you as they can. It’s your job to limit what they know.
prefix 3 years ago
It depends, we’re already trying to do our best to keep our credentials safe, but sometimes the leaked isn’t from us , it’s from the company who we’re using their services, their database breached. Another extra security for now is use 2fa or hardware key like yubikey , passwordless is good for now , some companies services already support it and some hasn’t yet
Leave a Reply

Your email address will not be published. Required fields are markedmarked