There have been sporadic entries in the “RockYou” family of password leak collections since 2009, when the project was founded with the breach of a former social media platform by the same name. A recent update has inflated the credential count from about 8.5 billion to almost 10 billion passwords, but preliminary examination of chunks of the data by security researchers indicates it being full of a lot of junk.
Between bogus entries and the sheer size, the password leak may well not actually be all that useful to cyber criminals, particularly when you consider that all of the credentials come from breaches that have previously been made public. But the incident does serve as a high-profile reminder to stop reusing passwords between multiple accounts, and to put password managers and MFA to use wherever possible.
“RockYou2024” password leak likely just meant to grab headlines
There is almost no threat of attackers feeding the password leak directly into account login attempts; the threat comes more from the convenience of cross-referencing different accounts that may belong to the same person in one place. But given that all this information was already available, and given the possible high level of “junk” in the file, it may not even be all that useful for that purpose.
The ultimate “security blanket” against a password leak of this type is MFA. While the hacker who compiles these lists most likely does it as a promotional measure rather than as a legitimate attempt to aid in attacks, it does provide a regular reminder to implement at least one extra layer of security beyond the password to head off crude “credential stuffing” attempts.
There has been something of a commercial push to make password managers more accessible to everyday internet users in recent years, but it has been counterbalanced by high-profile failures at market leaders such as LastPass, 1Password and Norton LifeLock. Apple iOS and Android have both had a basic password manager integrated into devices for years now, but security professionals have generally seen these as “better than nothing but far from sufficient”; Apple is attempting to address this with the rollout of a new password management app.
RockYou has been collecting password leaks since 2009
The “RockYou” files simply collect and organize existing password leaks. The new 1.5 billion entries, at least what amount of that is made up of valid data, appear to come from breaches that were dumped to the dark web between 2021 and this year. The file may have incorporated much of its information from the “Mother of All Breaches (MOAB)” that appeared in January of this year, a data collection that contained 26 billion assorted records from prior breaches.
Files of this type may have actually become more useful to security professionals over the years than they presently are to criminals. Former RockYou files have become staples of security testing, a way to quickly screen out passwords that are likely to be targeted from a network.