History of RockYou and the 2009 hack.
We are in the age of hacking and data breaches, and things aren’t bound to get better any time soon. With every day that passes, new information about databases being invaded and personal data being stolen comes to the surface and reaches the news, making us once again afraid of what may happen to our data and the accounts we care about.
One news piece related to those invasions has appeared very recently, dubbed “RockYou2021”, although it is a bit different in content than what we are used to hearing about. Its name pays homage to a hack that happened in 2009 on the servers of RockYou, a company that then developed social apps, exposing login data of 32 million users, as that data was stored in plain text.
RockYou2021 is a bit different in content, but its objective is the same.
The biggest password database ever
RockYou2021 is a text file that contains 100 gigabytes worth of passwords. No emails, no usernames. Just passwords. 100 GB. It’s an unimaginably huge file, just full of passwords. A report from cybersecurity website CyberNews states that it contains about 8,5 billion unique passwords (as it contains some repeated entries).
Now, what does this mean? This is where its similarity to the original RockYou comes forward: it is a file dedicated to doing dictionary attacks.
You see, brute forcing a password is hard. In order to figure out a 6 character password, considering numbers and special characters, you would need to try more than 600 billion combinations. That can take a very long time, and would be especially difficult if the website just has a simple captcha at the login page.
However, clearly not all of those combinations are used as passwords. There are more possible combinations than there are people in the world, probably still much more than there are login data throughout the entire world. So, if you have a list of the most commonly used passwords, you could reduce that time quite a bit, no? That’s what the RockYou2021 file is used for: making brute forcing quicker by using a list of combinations that are already known to be passwords.
Just as a means of comparison, RockYou was already such a big leak that it still comes as part of Kali Linux, a Linux distribution aimed at testing and developing cybersecurity solutions. Read more: (Apple vs Android)
Where did it all come from?
From everywhere, probably. It is most likely a combination of the password data gotten from multiple data breaches over the years. It may even have passwords from breaches we never heard about, as breaches tend to roam through the deep web and obscure hacking forums for a while before being noticed by security experts and white hat hackers.
Like with other breaches, the existence of this database means that accounts you created in multiple websites using the same password are more vulnerable now. Just changing passwords is not really enough if the password you’re changing to is also present in this list. 100 GB may seem like a lot, but considering that hacking the right place can get you a lot of money, it can be worth every second it takes to download it.
What can I do about it?
First of all, it is a good idea to check if the passwords you use have been present in any leak. If they have, change them in any account that you care about (especially the ones that contain credit card information, for example). Using strong passwords is of course recommended, as is using password managers so that you can keep track of them better.
It is also important to realize that the “age of passwords” is kind of on its way out. Just passwords by themselves aren’t keeping our accounts safe anymore, because of this combination of password databases and breaches of complete login data.
For accounts that involve money, credit cards and sensitive information, it is a good idea to also begin to use two-step login procedures, as it is much harder to have access to two different devices or accounts at the same time (namely your account’s email and your phone). But it is important to safekeep the recovery codes associated with it too, as they give direct access to your account.
We have some hard times ahead in this age of hacking, so it is important to be as careful as you can. Stay safe.