The New RockYou2024 Collection has been published! 10 Billion Credentials Compromised

Everyone involved with CTF has used the infamous rockyou.txt wordlist at least once, mainly to perform password cracking activities. The file is a list of 14 million unique passwords originating from the 2009 RockYou hack making a piece of computer security history. The “rockyou lineage” has evolved over the years.

Attackers used the original RockYou file as a starting point and continually added passwords from various data breaches. This culminated in RockYou2021, a list containing a staggering 8.4 billion records. These huge wordlists are used for credential stuffing and other brute-force attacks, putting untrained users at risk of unauthorized access, like Levi Strauss experienced this year. However reality is a little different

RockYou2024

With the 2021 version we touched high numbers but with the newest release is the (apparently) ultimate amalgamation. RockYou2024 has been released by the user “ObamaCare”

This new version added 1.5 billion of records to the 2021 version reaching the 10 billions records. A wordlist can potentially be used for a multitude of tasks and having this number of records in a single file, especially in 2024 with increasingly aggressive data breaches, is a dream come true for attackers. The user have not specified the nature of the additional records but puntualize the new data comes from recent leaked databases.

Conclusions – not all that glitters is gold

This might seem like a valuable resource for attackers, but we need to analyze the contents to determine its true worth.

1. Garbage Data = The unzipped file is 146GB worth but with some analysis a lot of discrepancy pop out. First the majority of 32 characters are all raw hashes (which break the promises of ObamaCare) which is about 15GB approximately, same thing for 60 character strings with as many GB. Moreover the file starts with a lot of 0x00 characters with no reason, company names and random strings are also part of the file. Probably ObamaCare wanted to reach 10 billion records at all costs just for fame or attention without taking care on the additional data.
2. Real Threat and Risks = Even with 2 billions of record added to the 2021 version the risk and threat remains the same as 3 years ago. The size of this file shouldn’t scare you as much as you might think. In real-world attacks, attackers often prefer to buy targeted credentials from underground marketplaces (credential brokers) rather than resorting to brute-force attacks with massive wordlists. Skilled attackers prefer a more precise approach. They craft custom wordlists tailored to their targets. Dictionaries, word rules, and tools like Kewl, Crunch, Awk, and Sed become their weapons of choice, allowing them to act intelligently rather than relying on bulky wordlists.

While a massive wordlist like RockYou2024 can generate noise and attract attention, the underlying risk remains not that significant. Skilled attackers use targeted methods, and brute-forcing with unrefined data is inefficient for them. With the release of RockYou2024 there is no additional security meltdown nor huge security risk like have been described in these hours.

Alessio Stefan

Member of the Dark Lab group. Love the red color.