Recently, a 100 GB file with 8.4 billion passwords inside (8 459 060 239 unique records) appeared on the network. Experts speculate that these passwords are a compilation of previous leaks. There are no logins in the file, only passwords ranging in size from 6 to 20 characters. A huge number of them are complex passwords with special characters. They are all contained in a single file called RockYou2021.txt.
This file was uploaded by a user with the nickname of the same name – RockYou2021. This nickname is most likely a reference to a 2009 leak that called Rock You… But that leak was several times less – the file, posted in 2009, contained only 32 million lines.
The number of passwords in the file exceeds the world’s population, which has not yet reached the 8 billion mark. The total number of Internet users on the planet, according to various estimates, is about 5 billion people. It can be assumed that many passwords are real and are still used today.
It is believed that this file is the result of a normal generation using an advanced algorithm. According to Troy Hunt, most of the elements of the file posted on the Internet have never been used as passwords. It’s just a compilation of the generated items with some real lists.
But many experts in information security disagree with the opinion, including representatives of the BoyGeniusReport publication. Passwords are very similar to what ordinary users usually come up with.
The file itself is safe as it does not contain any username / password combinations that can be used immediately. But, if you combine this file with any of the previously leaked documents containing users’ email addresses, you get a gorgeous base for brute force. In addition, the file can be used for password dictionaries that are used to carry out brute force attacks. The file contains both simple and very complex passwords.
According to some experts, this file increases the threat of compromising user accounts of various services. CyberNews, one of the first to discover the leak, believes the threat is real to billions of users. In reality, everything is not so scary, of course, but still the situation is not the most pleasant.
As always, under the maximum threat are users who have come up with one or two passwords for different services and use them at any convenient time. Considering that an ordinary person has only one e-mail address, the threat of such an account being compromised is really high.
To reduce the threat, it is worth changing the password that is usually used. Probably nothing to worry about for those using strong password generators with strong security, with one password for each new account. True, the file contains complex passwords, but most still look like what people themselves usually come up with, not a generator. Well, now in most services two-factor authentication is introduced, so in this case the threat is even lower.
In order to check your own data, you can use specialized services that allow you to find out about personal data leak and passwords… Here, however, it is worth thinking about whether it is worth “shining” the password for such a service – it may well be that such databases appear after the hacking of services-checkers. They are, of course, protected, but …
By the way, in February 2021, another list appeared on the network – 3.2 billion login / password bundles from accounts of Microsoft and Google mail services. That file was a compilation of many other leaks that had occurred earlier.
What about other leaks?
Let’s be objective: the uploaded file with passwords is not really a leak. But when the data of customers of a company with passwords, logins, personal data and so on appears on the network, then the situation can be called a real leak.
In Russia on a number of data in 2020, the number of leaks increased by about a third, although globally, this figure decreased slightly.
In 2020, about 100 million records of personal data of Russians were leaked to the network, which is much more dangerous than a file posted by someone with billions of passwords. At the same time, about 80% of violations were committed by company employees, most of them as a result of deliberate actions. In Russia, leaks occur more often in financial services, the public sector and the hi-tech industry.
As for the world, at the end of 2020, the network appeared about 11 billion records of personal data and payment information (it is clear that in such leaks there are several accounts per user, these are not 11 billion separate accounts). The biggest leak can be considered the problem with Whisper – 900 million records were stolen from the service at once, that is, all records were leaked to the network since the resource was founded in 2021. In second place is the Chinese service Weibo, which leaked about 500 billion records. The third is Estee Lauder. No hackers were needed here, the company itself posted 440 million accounts on one of the cloud services.