Rockyou 2024: Why 10 billion stolen passwords are no reason to worry

The number is enough to make you cringe: a collection of almost ten billion login details has appeared on the Internet – more than ever before. A total of 50 gigabytes of passwords in just one file.

And yet that is no reason to hastily change all logins and Passwords BILD explains the background to the biggest leak of all time.

What happened?

The file, which appeared in a public hacker forum, is called “Rockyou2024”. It is a collection of leaked passwords that dates back to 2009. At that time, the login data of users of the company “Rockyou” were stolen and appeared on the Internet.

Since then, the list of stolen logins has been continually expanded. This means that only some of the 10 billion passwords are new data. 8.4 billion alone were already contained in a file called “Rockyou2021”.

What is really in the file?

In addition to the sheer number of accesses, one thing is much more crucial: the quality of the data. And not only is a large part of the content of “Rockyou2024” already several years old – experts also have strong doubts about the rest.

Danish security researcher Lars Kalslund has taken a closer look at the contents of the file. His conclusion: “garbage” produced with little effort, such as in a Post on LinkedIn writes.

Because 15 percent of the file is so-called hex code, which means that it could be passwords, but ones that have not yet been cracked. In addition, another 10 percent of the file consists of character strings longer than 32 characters. The expert believes that such a large percentage of passwords are so long is “not realistic.”

Why the leak is no cause for concern

And Karslund is not alone in his analysis of the supposedly biggest leak of all time: Another security expert who is not fazed by “Rockyou2024” is Troy Hunt. He is, among other things, Regional Director at Microsoftsecurity consultant for the password manager 1Password and runs the website haveibeenpwned, which collects data leaks and provides a search engine that you can use to check whether you are affected.

He writes on X: “At a time when there are many really important and highly interesting infosec stories, this one has received an inordinate amount of attention because of the sensational headline. That's all, carry on.”

Here you will find content from Twitter

In order to interact with or display content from Twitter and other social networks, we need your consent.

What you can still do

Even if the file contains new and current login data, a password collection is no longer as threatening as it once was. Two-factor authentication is now standard for most providers. This means that new login attempts can be authorized using a second factor such as a code via e-mailThis makes individual passwords less valuable to hackers. If you want to protect yourself, you should activate this function.

Another weak point is passwords that are used multiple times. A so-called password manager is particularly helpful here, as it creates, manages and automatically inserts secure passwords for you. Apple will bring this feature to the iPhone as a separate app with the upcoming iOS18, but there are already many providers such as Dashlane, 1Password or Bitwarden.