Check your passwords, people, because if there was ever a good reason to not reuse the same password, or even variants of the same password, then the latest version of the RockYou collection of leaked or stolen passwords must surely be it. With almost 10 billion unique passwords, the dataset is the largest source of genuine login details, from all around the world, making the risk of cyberattacks as high as it’s ever been.
The astonishing number was reported by Cybernews (via Sweclockers) after the updated dataset was posted on a forum used by hackers. Back in 2009, social media company RockYou suffered a data breach in which 32 million user accounts were compromised. Over a decade later, in 2023, a 100 GB text file titled RockYou2021 was posted on hacking forums.
It contained around 8.5 billion passwords, making it then the largest dataset of leaked login details since the 3.2 billion COMB collection in 2022. Now, RockYou2024 is larger still and holds just shy of 10 billion unique email addresses and passwords. Even if one accounts for the fact that every person who’s online will have multiple login accounts, the figure is sufficiently large enough to be of major concern.
The biggest danger the compilation poses is that the information can be used to increase the success of credential stuffing, a type of brute force attack that runs through multiple login attempts to gain access to an account. Not only does this put individuals at risk of identity theft, but it also increases the chances of the business hosting the online account from suffering a comprehensive data breach.
This information is then fed back into the RockYou dataset, making it increasingly more potent. Any decent cloud or hosting service will have mechanisms to combat brute force attacks but if a login appears genuine (because it’s using a valid email address and password), then there’s little the service can do to prevent access.
If this news comes across as being very alarming, then that’s a good thing. Because it means people are more likely to take action to prevent the situation from becoming worse.
If you’re wondering what exactly you should do, then here’s my advice. Never assume that any of your online accounts are safe and never use the same password for any of them—even variations of the same password are risky to use.
I strongly recommend that you change your passwords now, using a combination of three words that you can easily remember, making sure to include numbers and special characters. For any account that offers it, also make sure you enable two-factor or multi-factor authentication (2FA/MFA).
Cybernews offers a password checking service and you can use this to see if a specific password appears in the RockYou2024 dataset. It’s safe to do this because you’re not providing any other details, such as an email address, that would identify the password with a particular account. Even if one of your passwords isn’t in the database, I still recommend that you add a layer of security to your online accounts. If it doesn’t offer one, then it’s even more important you change the password to a large and complex one right now.