Overview
RockYou2021 – Leaked Online Passwords Compilation: What could be the largest leaked online password compilation ever has been shared by a threat actor on a popular hacker forum. Named as RockYou2021 after the infamous RockYou breach in 2009, the released 100 GB file is estimated to contain about 8.4 billion password entries.
To make it clear, this password leak is not a new breach, but rather the most recent and the largest compilation of multiple previous breaches from a variety of resources:
- CrackStation’s Password Cracking Dictionary
- Hack3r.com’s Wikipedia Wordlist
- Daniel Meissler’s SecLists/Passwords
- berzerk0’s Probable Wordlists
- Passwords from Weakpass
- COMB (Compilation of Many Breaches): 3.2 million previously shared passwords.
A quick overview of the sources from where the passwords have been compiled suggests that not all the entries on the list are previously compromised passwords, as probable wordlists are included too. However, the compilation could be valuable arsenal for attackers when cracking the passwords.
The compilation has been preprocessed by the threat actor to clean the data on it, so that it would contain only 6-20 characters longs passwords that do not contain non-ASCII characters and white spaces. In addition to its initial share forum, RockYou2021 data has been circulated on other platforms too, including the torrent.
Comparison to Previous Password Leaks and Compilations
The first major password data leak is considered to be the 2009 RockYou data breach that breached the passwords of 32 million users of the social app website RockYou. Actually, this recent password compilation is named after this infamous data leak, as it had significant impact on the security community. Compared to the 32 million username and password data that was considered to be striking at the time, RockYou2021 contains approximately 250 times more data with 8.4 million password entries.
Following RockYou user credentials breach, many other notable incidents occurred and threat actors started to compile and sell such data. In this regard, compiling previous password leaks is not something new. However, RockYou2021 stands out as being the largest collection ever.
The most recent password collection that is comparable to RockYou2021 is the COMB (Compilation of Many Breaches) data compilation of 3.2 billion passwords, shared in February 2021, only a few month prior to this release. And, earlier than the COMB release, a compilation containing 1.4 billion email and password pairs (that was harvested from 252 previous breaches) was shared in 2017.
Potential Impacts on Users and Security Measures
Following the release of such a large password data, attackers could be expected to conduct a variety of enhanced brute force attacks such as dictionary or rainbow table attacks, credential stuffing or password spraying attacks. To prevent falling victims of such attacks, could follow the below guidance as best practices for secure password management.
Change Passwords Often
Changing passwords at regular intervals such as every 60-90 days is one of the most effective countermeasures against compromised passwords. Especially, passwords for critical accounts such emails, VPNs etc. should be changed regularly and often.
Implement Multi-Factor Authentication
Multi-Factor Authentication (MFA) is another highly effective security measure to protect user accounts. MFA increases authentication security by adding additional layers of security beyond just entering a password. When only one layer of additional security is implemented, it is specifically called 2FA (2 Factor Authentication). When MFA is implemented, attackers won’t be able to get into users’ accounts even if they have users’ credentials.
Do not Use Passwords on Multiple Accounts
Users usually tend to reuse their usernames and passwords across multiple accounts. Though this practice come handy for remembering passwords easily, attackers could take advantage of it by using compromised credentials to pivot to other more other important accounts.
Passwords are like underwear. Don’t let people see it, change it very often, and you shouldn’t share it with strangers.
Chris Pirillo
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
Final Remarks
User credential breaches have become ordinary security news in the recent years and we got used to selling of such data either separately or in compilations on the hacker forums. Passwords could be compromised due to multiple attack vectors. However, it is not that difficult for the users to take some extra measures to protect their credentials.
This recent RockYou2021 (Largest Compilation of Leaked Online Passwords) share of password compilation reminds us one more time the importance of using unique passwords and implementing MFA (or 2FA) on the online accounts. This two simple protection mechanisms shall leave the attackers empty handed even when they can get hold of usernames and passwords.
You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?
