The New RockYou2024 Collection has been published! 10 Billion Credentials Compromised

Alessio Stefan : 6 July 2024 15:40

Everyone involved with CTF has used the infamous rockyou.txt wordlist at least once, mainly to perform password cracking activities. The file is a list of 14 million unique passwords originating from the 2009 RockYou hack making a piece of computer security history. The “rockyou lineage” has evolved over the years.

Attackers used the original RockYou file as a starting point and continually added passwords from various data breaches. This culminated in RockYou2021, a list containing a staggering 8.4 billion records. These huge wordlists are used for credential stuffing and other brute-force attacks, putting untrained users at risk of unauthorized access, like Levi Strauss experienced this year. However reality is a little different

RockYou2024

With the 2021 version we touched high numbers but with the newest release is the (apparently) ultimate amalgamation. RockYou2024 has been released by the user “ObamaCare”

Supporta RHC acquistando il Corso CTI:

Supporta RHC attraverso:

• L'acquisto del fumetto sul Cybersecurity Awareness
• Seguendo RHC su WhatsApp
• Seguendo RHC su Telegram
• Scarica gratuitamente "Dark Mirror", il report sul ransomware di Dark Lab

This new version added 1.5 billion of records to the 2021 version reaching the 10 billions records. A wordlist can potentially be used for a multitude of tasks and having this number of records in a single file, especially in 2024 with increasingly aggressive data breaches, is a dream come true for attackers. The user have not specified the nature of the additional records but puntualize the new data comes from recent leaked databases.

Conclusions – not all that glitters is gold

This might seem like a valuable resource for attackers, but we need to analyze the contents to determine its true worth.

1. Garbage Data = The unzipped file is 146GB worth but with some analysis a lot of discrepancy pop out. First the majority of 32 characters are all raw hashes (which break the promises of ObamaCare) which is about 15GB approximately, same thing for 60 character strings with as many GB. Moreover the file starts with a lot of 0x00 characters with no reason, company names and random strings are also part of the file. Probably ObamaCare wanted to reach 10 billion records at all costs just for fame or attention without taking care on the additional data.
2. Real Threat and Risks = Even with 2 billions of record added to the 2021 version the risk and threat remains the same as 3 years ago. The size of this file shouldn’t scare you as much as you might think. In real-world attacks, attackers often prefer to buy targeted credentials from underground marketplaces (credential brokers) rather than resorting to brute-force attacks with massive wordlists. Skilled attackers prefer a more precise approach. They craft custom wordlists tailored to their targets. Dictionaries, word rules, and tools like Kewl, Crunch, Awk, and Sed become their weapons of choice, allowing them to act intelligently rather than relying on bulky wordlists.

While a massive wordlist like RockYou2024 can generate noise and attract attention, the underlying risk remains not that significant. Skilled attackers use targeted methods, and brute-forcing with unrefined data is inefficient for them. With the release of RockYou2024 there is no additional security meltdown nor huge security risk like have been described in these hours.

Alessio Stefan
Member of the Dark Lab group. Master's student of AI & Cybersecurity and CTF player with a passion for ethical hacking that has been with him since a young age. He spends his days immersed in studying and discovering new methods of attack with just the right amount of practice. Convinced that hacking is a culture he applies its principles not only in the digital world but also to daily life while waiting of turning his dedication into a career.