Like water flowing down to the sea, exposed login credentials gradually make their way into larger and larger “combo files” for the convenience of cyber criminals. The king of these password leak files in recent years has been the “RockYou” collections, last making the news in 2021 for a file containing a whopping 8.4 billion plain text passwords. That mark has been surpassed by the latest release, “RockYou2024,” which has added about 1.5 billion new passwords to bring the total collection very close to 10 billion.
Few to none of the entries in the collection are believed to be new password leaks. This is a compilation largely built on massive breaches of the recent past that involved tens to hundreds of millions of records each. The 1.5 billion passwords added since the last RockYou edition appear to all be from breaches that took place from 2021 to 2024.
Massive password leak collects breach information spanning two decades
Security researchers put the exact total of passwords in RockYou2024 at 9,948,575,739. The file was posted to an underground hacking forum by a user named “ObamaCare” who has previously been involved with password leaks at casino referral site AskGamblers, the admissions department of Rowan College, and law firm Simmons & Simmons.
While these passwords are likely all from existing and previously known data breaches, credential stuffing using these massive combo files continues to be effective for profit-seeking cyber criminals. The April breach of cloud storage firm Snowflake, which in turn has led to major breaches of Ticketmaster and other companies, is thought to have originated from a successful password stuffing campaign.
The RockYou files originated in a different form, from a 2009 data breach of a long-defunct social media service of the same name. The collection has done nothing but expand since then, and it seems to have credentials that date back as far as the mid-2000s. However, some security researchers (such as Forbes columnist Davey Winder) have sampled some of the data and found significant portions of it may be “garbage” in the sense of incorrectly entered or bogus credentials. Other researchers have said that some of the passwords are hashed, and other fields simply consist of company names rather than login credentials.
How much of a threat is the RockYou password leak, really?
Most of the legitimate credentials in the password leak have been available for a long time now, and most online services will not allow threat actors to indiscriminately try a list of billions of passwords. The biggest threat will come from targeted credential stuffing attacks, with threat actors identifying accounts that share usernames or appear to belong to the same person. Though the word should be out about reusing passwords at this point, the news of the RockYou2024 password leak should be a final reminder to set a unique password for every account.
There is also likely greater risk to devices that owners do not consider a security priority, or that may not allow for truly secure passwords to be set; in other words, all types of home and business smart devices and cameras. This issue could extend to legacy systems in industrial equipment that are similarly overlooked by security updates or just inherently difficult to secure properly due to outdated design.
The threat that emerging AI technologies present should also be considered. AI could potentially be leveraged by hackers to much more quickly sift through the massive password leak, making connections between accounts potentially owned by the same person. This ability could also turn up poorly secured accounts that have been forgotten by their owners, a problem that even Microsoft has struggled with recently.
Some security researchers take the view that the password leak file is growing far too big to be useful, and its size is actually providing diminishing returns as it increases (due primarily to the junk and now-useless outdated information that continues to accumulate). They also point out that any approach reliant on something like RockYou2024 as a tool is readily defeated by something that organizations should already have enabled anyway: multi-factor authentication. Even an account with a weak or recycled password can be bailed out if it is protected by a secondary required authentication method.
What can an individual user do to protect against these password leaks, particularly if they’re now juggling dozens or even hundreds of logins? The most straightforward answer is a password manager app, of which there are a number of reputable options. For Apple device users, iOS 18 is set to add a default password manager.
Darren James, a Senior Product Manager at Specops Software, adds: “The dataset is too large to be of any realistic use as part of any effort to crack a given hash, it’s simply too much low quality data to successfully use in attacks, and the value of the data is negligible compared to good prepared wordlists and rulesets in the hands of a capable actor. Organizations would be better off focusing on best practices like encouraging passphrases, protecting against actual compromised passwords, and defending against targeted wordlist attacks with custom block lists. RockYou2024 is just as another clickbait compilation.”
Max Gannon, Cyber Intelligence Team Manager at Cofense, notes that the primary demographic at risk from RockYou2024 had already been at similar risk all along anyway: “Although this dump puts people who reuse passwords at greater risk, reusing passwords already put them at a significant risk due to all the other leaks and ways of being compromised. MFAs and password managers are of course the way to go but security experts have been telling people not to reuse passwords since there were enough different sites to make password reuse common. Another reason to use password managers is that some password managers will scan dumps like this and inform you if your credentials are at risk. Some identity protection services will also offer this service.”
