Exposed: RockYou2021, the largest password breach in history, wasn’t actually a breach

Rockyou2021: largest password breach wasn't actually a breach

A recent data breach dubbed the largest in history by many news outlets and that allegedly exposed 8.4 billion passwords has been revealed not to be a new password breach whatsoever. Misreporting of the situation caused an initial panic online, as publications urged readers to change their personal account passwords immediately after news of the data breach occurred.

While the RockYou2021 compilation, which was posted on a popular hacker forum (URL available on request), does contain details of potentially compromised accounts and leaked passwords, many of these were previously breached. This means that a vast majority of the alleged 8.4 billion leaked passwords were already known.

Moreover, RockYou2021 isn’t just a list of breached credentials and passwords; it’s a collection of various lists such as probable passwords and wordlists. We’ve examined the list to give you the low-down on what exactly this cybersecurity breach entails.

What is the RockYou2021?

The RockYou2021.txt is a collection of breached passwords and credentials, potential passwords, and wordlists. The list was posted on a famous hacker forum in early June 2021 and immediately caused a security scare online. Although reported upon in the CyberNews community as a password leak, RockYou2021 is actually a breach of 8.4 billion unique entries, many of which aren’t related to passwords.

Dubbed RockYou2021 as a nod to the RockYou2009 data leak, this breach doesn’t reveal newly compromised passwords. Our security experts have accessed the list and analyzed it, noting that a lot of the data entries are duplicates of earlier leaks. The full list contains:

  • The Combination of Many Breaches (COMB) list: A list of 3.2 billion previously leaked password entries.
  • A collection of other known password breaches and leaks as well as words from Wikipedia (in the CrackStation Dictionary and Wikipedia Wordlist).
  • Weakpass wordlists and random user passwords.
  • SecLists/Passwords, an amalgamation containing captured passwords and commonly used words, to aid hackers in password cracking attacks.
  • A probable wordlist containing passwords that are known to be used based on password trend research.

So, it seems that a lot of this leaked data had already been exposed in previous breaches. This means that the commotion caused by various online outlets is uncalled for; individuals have had access to the leaked credentials and entries in RockYou2021 for a long time.

Does RockYou2021.txt expose real passwords?

Since RockYou2021 has been continuously referred to as a password leak by the media, it is hard not to feel as though some user accounts and credentials may be at risk online. However, the reality is that it is made up of a lot more than just breached passwords.

While the list does contain some known leaked passwords, it mostly consists of wordlists and potential passwords. To put it simply, RockYou2021 could be seen as more of a free tool to help password crackers gain unauthorized access to online accounts.

Should I be worried about RockYou2021?

While any list like RockYou2021 is worrying, there are a few things to keep in mind when discussing this list:

  • Firstly, the file is not as usable for password crackers as people may think. Chris Partridge noted how the user behind RockYou2021 removed non-ASCII characters, limiting the use of the list in international attacks.
  • Moreover, the passwords in the compilation are limited to 6-20 characters long. While this makes things easier for password crackers, it also means that there could potentially be many longer passwords left off the list.

Troy Hunt also had some insightful thoughts about the leak, which reassured many users. Once news of the data leak broke online, he took to Twitter to share this:

Unlike the original 2009 RockYou data breach and consequent word list, these are not “pwned passwords”; it’s not a list of real world passwords compromised in data breaches, it’s just a list of words and the vast majority have *never* been passwords.

Hunt is right; although the list of words may feature probable passwords that some real users actually employ, this doesn’t mean that their personal account credentials have been breached. A data compilation of common words and possible passwords on this scale is bound to overlap with real user passwords, even if the number is low. We’ve included a screenshot of the list below, to demonstrate the words included in the file.

Moreover, since the list contains passwords from older cybersecurity breaches, it is likely that these have long been changed or are now associated with closed accounts. Overall, we wouldn’t advise users to worry too much about this leak since the passwords on the list can’t be matched to accounts which makes them pretty much worthless.

rockyou2021 gif

How to check if your password has been leaked

Although the data leak is of no major concern, it does raise the inevitable issue of cybersecurity and the very real risk of unauthorized access to online accounts. Fortunately, there are several ways to find out if you have been involved in a password leak.

Firstly, you can visit Have I Been Pwned, one of the best free tools that can reveal whether or not your email address or telephone number has been involved in a data breach. By entering your credentials onto this site, you’ll be able to see whether or not your private details have been compromised in an attack or are floating around on the Dark Web.

You can also turn on Dark Web monitoring alerts on password manager platforms like LastPass. This tool alerts users if their email addresses are found in a database of breached accounts.

Ways to secure your accounts

Although hackers and password crackers employ several methods to work out passwords, there are things that users can do to reduce the risk of breaches.

Firstly, you should create strong passwords that are at least 20 characters long and include a combination of letters, numbers, and symbols. If you can’t think of multiple unique passwords (or remember them all!), then you can use a password manager.

Activating two-factor authentication across all of your accounts is also a good idea. This requires you to enter a code that is usually sent to your phone to access an account. On top of this, following basic online safety rules will stand you in good stead; don’t open spam-like or suspicious-looking emails, and never enter credentials into a non-secure site.


Chris Partridge:

Troy Hunt:

Have I Been Pwned:

Author Madeleine Hodson

Hi, I'm Madeleine. I'm a British writer with a global background, currently based in the UK. I have always been interested in the online world and how it connects people worldwide. My keen interest in the internet led me to ...
Read more about the author