An infamous dataset of leaked login details, updated last week, now houses 9,948,575,739 passwords and poses the biggest threat to our online security ever

An image showing a rendering gold padlock against a digital background depicting technologies in security systems
(Image credit: MF3d via Getty Images)

Check your passwords, people, because if there was ever a good reason to not reuse the same password, or even variants of the same password, then the latest version of the RockYou collection of leaked or stolen passwords must surely be it. With almost 10 billion unique passwords, the dataset is the largest source of genuine login details, from all around the world, making the risk of cyberattacks as high as it's ever been.

The astonishing number was reported by Cybernews (via Sweclockers) after the updated dataset was posted on a forum used by hackers. Back in 2009, social media company RockYou suffered a data breach in which 32 million user accounts were compromised. Over a decade later, in 2023, a 100 GB text file titled RockYou2021 was posted on hacking forums.

It contained around 8.5 billion passwords, making it then the largest dataset of leaked login details since the 3.2 billion COMB collection in 2022. Now, RockYou2024 is larger still and holds just shy of 10 billion unique email addresses and passwords. Even if one accounts for the fact that every person who's online will have multiple login accounts, the figure is sufficiently large enough to be of major concern.

The biggest danger the compilation poses is that the information can be used to increase the success of credential stuffing, a type of brute force attack that runs through multiple login attempts to gain access to an account. Not only does this put individuals at risk of identity theft, but it also increases the chances of the business hosting the online account from suffering a comprehensive data breach.

This information is then fed back into the RockYou dataset, making it increasingly more potent. Any decent cloud or hosting service will have mechanisms to combat brute force attacks but if a login appears genuine (because it's using a valid email address and password), then there's little the service can do to prevent access.

If this news comes across as being very alarming, then that's a good thing. Because it means people are more likely to take action to prevent the situation from becoming worse.

If you're wondering what exactly you should do, then here's my advice. Never assume that any of your online accounts are safe and never use the same password for any of them—even variations of the same password are risky to use.

I strongly recommend that you change your passwords now, using a combination of three words that you can easily remember, making sure to include numbers and special characters. For any account that offers it, also make sure you enable two-factor or multi-factor authentication (2FA/MFA).

Cybernews offers a password checking service and you can use this to see if a specific password appears in the RockYou2024 dataset. It's safe to do this because you're not providing any other details, such as an email address, that would identify the password with a particular account. Even if one of your passwords isn't in the database, I still recommend that you add a layer of security to your online accounts. If it doesn't offer one, then it's even more important you change the password to a large and complex one right now.

Image


Best gaming PC: The top pre-built machines.
Best gaming laptop: Great devices for mobile gaming.

Nick Evanson
Hardware Writer

Nick, gaming, and computers all first met in 1981, with the love affair starting on a Sinclair ZX81 in kit form and a book on ZX Basic. He ended up becoming a physics and IT teacher, but by the late 1990s decided it was time to cut his teeth writing for a long defunct UK tech site. He went on to do the same at Madonion, helping to write the help files for 3DMark and PCMark. After a short stint working at Beyond3D.com, Nick joined Futuremark (MadOnion rebranded) full-time, as editor-in-chief for its gaming and hardware section, YouGamers. After the site shutdown, he became an engineering and computing lecturer for many years, but missed the writing bug. Cue four years at TechSpot.com and over 100 long articles on anything and everything. He freely admits to being far too obsessed with GPUs and open world grindy RPGs, but who isn't these days?