Biggest password database posted in history spills 10 billion passwords — RockYou2024 is a massive compilation of known passwords

Passwords being typed
(Image credit: Getty Images)

The most significant password leak in history occurred on the Fourth of July. This leak, dubbed RockYou2024 by its original poster, “ObamaCare,” on a leading hacking forum, compiles 9,948,575,739 unique passwords into plain text. This is 9.9—almost 10 billion passwords that have been leaked, so we’re looking at an attack on a truly unprecedented scale here [h/t Cybernews].

...Right? Well, there are some caveats to this. Make no mistake: you should still take this seriously and change your passwords semi-frequently or use a secure password manager instead of cycling through a few different ones, depending on the service. Using 2FA (Two-Factor Authentication) or MFA (Multi-Factor Authentication) should also be a wise move in the right direction.

However, despite its historical scope, RockYou2024 is primarily a compilation of previous password leaks. It’s also built on a prior “RockYou2021” compilation with 8.4 billion passwords.

So, between RockYou2021 and RockYou2024, only about 1.5 billion more passwords were added to the list. According to hacker ObamaCare, at least some of these 1.5 billion passwords were newly cracked with the help of their RTX 4090, a tactic we’ve been warned about before.

Cybernews’ original coverage of these posts includes statements from its team on what to expect and do moving forward. The Cybernews team said, “Attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware. Moreover, combined with other leaked databases on hacker forums and marketplaces, which, for example, contain user email addresses and other credentials, RockYou2024 can contribute to a cascade of data breaches, financial frauds, and identity thefts.”

While Cybernews is probably correct about this, the fact this is primarily a compilation of already-existing leaks dating as early as 2021 does somewhat take from the impact of the 9.9 billion leaked passwords headline.

Users should still take the appropriate precautions since the list has been updated and maintained since 2021. Of course, cybersecurity is an ongoing battle, but at the risk of being contrarian, this is still mostly just a compilation of existing hackers’ work from database breaches that have already happened.

You will most likely be fine if you’ve been correctly practicing password management and/or rotation for over a year or before the original 2021 attack. It never hurts to be safe and secure your digital accounts a little more, though, especially in today’s digital age.

Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

  • in_the_loop
    10 billion passwords...
    Wonder if they count unique passwords or if this is just all the accounts passwords that may be duplicated all over the place which is a big problem.
    One person may use a lot accounts for different sites and if he uses the same password all over (Something that the lazy person may do) then it will mean that there are loads of duplicates for these 10 billion passwords.
    In addition to that all the simple guessable "12345678","qwertyuiop" and "password123" and the likes to take into account of the seriousness of this....
    Reply
  • Alvar "Miles" Udell
    I'm not surprised this wasn't mentioned, but Edge does check all stored passwords to see if they have been involved in breaches, as does Chrome, and Firefox, so most of the passwords involved, the older ones, have likely been changed already.
    Reply
  • brandonjclark
    Alvar Miles Udell said:
    I'm not surprised this wasn't mentioned, but Edge does check all stored passwords to see if they have been involved in breaches, as does Chrome, and Firefox, so most of the passwords involved, the older ones, have likely been changed already.
    IF (and this is IF I'm still right) you haven't disabled that "feature" of Microsoft knowing your password.
    Reply
  • TheOtherOne
    "So, between RockYou2021 and RockYou2024, only about 1.5 billion more passwords were added to the list."

    Phew, nothing to worry here. Tis just a scratch!
    Reply
  • lichtbringer
    what they do with all theses hashes?
    Today we store passwords hashed / and salted.
    They intend to waste money on decrypting hashes ?
    Besides that if 2fa is used the whole thing renders useless.
    Rather spend money cleaning earth :)
    Reply
  • Vanderlindemedia
    For hackers a good password list is mandatory. I know because at least 18 years ago i used to hack myself. Many people where not aware of the weak encryption, websites or dangers it had in regards of passwords, and many folks used one password for lots of things. Even mail, with zero 2 step auth and such.
    Reply
  • Alvar "Miles" Udell
    brandonjclark said:
    IF (and this is IF I'm still right) you haven't disabled that "feature" of Microsoft knowing your password.

    Nope, I use Microsoft's password manager for my passwords and Microsoft Authenticator for my 2FA codes.
    Reply