RockYou2021 is Largest Password Leak at 8.4 Billion Entries

A compilation file of stolen and leaked passwords, dubbed RockYou2021, recently appeared on a hacker forum. CyberNews reports that an anonymous forum poster uploaded a 100GB TXT file containing 8.4 billion entries of passwords.

Although the poster claimed the file contained 82 billion passwords, CyberNews independent analysis confirmed the number (while still staggering) is actually ten times less. However, it remains the largest password and credentials leak of its kind in history.  

Given that only 4.7 billion people are online across the world, the perpetrators may have multiple passwords for millions if not billions of users. The RockYou2021 compilation file may be the stepping stone hackers are looking for to begin mass credential stuffing or more targeted credentials attacks. Since so many people were potentially affected, businesses should begin alerting employees to the danger and mandating password changes across all accounts. Additionally, enterprises should begin (if they haven’t already) implementing multifactor authentication (MFA) and other critical identity management protections. 

Also, your employees and administrators should take the necessary steps to ensure that they make the strongest and most secure passwords possible. Despite passwords being largely ineffectual as a lone authentication factor, the combination of longtime recognition and ubiquitousness ensures their place in access management for years to come. 

Therefore, your enterprise should make users aware of the tools at their disposal. Free websites like haveibeenpwned.com allow users to compare their emails to thousands of breaches, seeing where they may have been compromised and prompting new credentials. Meanwhile, password checkers can help employees determine whether their passwords actually measure up to the realities of password crackers and simple guesswork.  

To learn more about what RockYou2021 might mean for cybersecurity and access management, we reached out to the experts. Here’s what they had to say. 

RockYou2021: Impact and Advice

Saryu Nayyar

Saryu Nayyar (she/her) is CEO of Gurucul. 

“Today is the day to change all your passwords. You may have been putting this off thinking you are not affected. You are. We all are. Now you have an excellent reason – to protect your privacy and your assets. Anything and everything will come out so waste no time. Change all your passwords immediately. And please make sure they are unique and complex!”

David Stewart

David Stewart is CEO of Approov. 

“It may be the biggest username/password breach of all time but it won’t be the last. Outlawing passwords is not a short-term solution to this problem. Instead, ensure that usernames/passwords on their own are not enough to gain access to backend systems. Adding a requirement for appropriate and independently verified factors to gain access to your servers will ensure that your business is not affected by credential stuffing attacks based on breaches such as RockYou2021.”

Thank you to these cybersecurity experts for their time and expertise on the leak. For more, why not check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine? The Suggestion Engine can compare your enterprise’s access management use case to vendor-made profiles in just 7 seconds over millions of permutations.