myNetWatchman clients (and most others) don’t need to be concerned about RockYou2024 - don’t be put off by the size.
The RockYou2024 data set, with its staggering 10 billion records freely available online, has caused quite a stir in the cybersecurity world. We took a look beyond the headlines to understand what this data dump truly represents and its actual impact. While the primary focus on 10 billion records overstates the breadth of what is actually useful, the 65 percent (at least) of the data set that is likely to be real, unencrypted passwords might be useful to a small group of fraudsters. Even then, the reality is that the compromised passwords contained in it were being used well before it was released.
What is it
RockYou2024 is a data dump, freely available online. It is a mix of plain-text passwords, hashed passwords, plausible (but not necessarily in-use) passwords from wordlists and likely some junk data. The name "RockYou" dates back to 2009 when a file named “rockyou.txt” containing 14 million unique passwords was posted online. The list grew over the years, reaching 8.4 billion records by 2021. The latest iteration, RockYou2024, added 1.5 billion new records, approaching the headline-grabbing number of 10 billion.
What’s inside
RockYou2024 has only passwords, or more accurately, records that might be passwords. These are not credential pairs - credential pairs (username and password together) are more valuable than passwords alone. In contrast, we have over 30 billion pairs in our repository.
Encrypted data - About 950 million records, about 10% of the data set, is encrypted words; little value to attackers, because cracking the hashed word (moreso a hashed and salted word) is technically challenging and time-consuming.
Junk - random strings, company names, and other garbage that aren’t really passwords people use. For example, we found more than 50 thousand records starting with “0x00” and agree with Red Hot Cyber that junk data was included because the hacker probably “wanted to reach 10 billion records at all costs just for fame or attention.”
What’s left is about 6.14 billion records that could be plain-text passwords.
Real-world use
We monitor live criminal traffic, as it happens. In the week after RockYou2024 was released, we saw 370 million credential pairs used in illegitimate logins, credential stuffing attacks, and ATO attempts. 56% of those used passwords in the RockYou2024 data set.
However, in the week before RockYou2024 came out, we also saw the same amount - 56% - of logins using passwords in RockYou2024. In other words, we didn’t see any indication that RockYou2024 exposed a significant amount of passwords that hadn’t been used before.
Threat Level
For our clients, we don’t see this breach increasing the level of existing threat to account takeover from compromised credentials. The attributes – potential, unverified passwords are low value compared to breaches that contain username and password combinations, for example the 30+ billion credential pairs we have that criminals have actually used. We do expect some criminals will use them in brute-force stuffing attacks, but that kind of activity has a significantly lower success rate than credential stuffing attacks which rely on compromised credential pairs. And the timing risk is low - 84% of the set was available three years ago or more. Wide availability of breached passwords and poor password hygiene makes ATO and credential stuffing attacks a persistent and credible threat, but RockYou2024 didn’t greatly elevate that threat, it was already quite high.
Recommendations
As always, we recommend our clients help users practice good password hygiene. Have password policies in place to require strong passwords, use 2FA where it makes sense for the user experience, and protect users from using known compromised accounts with our services. We DO NOT recommend you let the hype around RockYou2024 alarm you into drastic action. Forcing all users implicated in RockYou2024 to change passwords would cause unnecessary friction without significantly reducing risk.
Comments