Billions of passwords leaked online - rockyou2021

pendragon1

Extremely [H]
Joined
Oct 7, 2000
Messages
51,675
"Dubbed RockYou2021, the list as revealed on a hacker forum contains 8.4 billion password entries, says CyberNews."
"A list of leaked passwords discovered on a hacker forum may be one of the largest such collections of all time. A 100GB text file leaked by a user on a popular hacker forum contains 8.4 billion passwords, likely gathered from past data breaches, tech news site CyberNews said on Monday."

https://techxplore.com/news/2021-06-largest-password-breach-history-leaked.html
https://www.techrepublic.com/article/billions-of-passwords-leaked-online-from-past-data-breaches/

better check...
https://haveibeenpwned.com/
 
I like how websites require me to have a complicated password but yet it doesn't matter because there's a security vulnerability that allowed them to get hacked and have all the passwords stolen anyway. No one will ever brute force their way to find your password because after 3 or 5 attempts you're locked out. It's always the lack of updated security that's the problem, not my shit password.
 
I like how websites require me to have a complicated password but yet it doesn't matter because there's a security vulnerability that allowed them to get hacked and have all the passwords stolen anyway. No one will ever brute force their way to find your password because after 3 or 5 attempts you're locked out. It's always the lack of updated security that's the problem, not my shit password.
It always puzzles me how this happens. Like, why are they insisting on elaborate, impossible-to-remember strong passwords, and then storing them in the clear? The idea of hashing a salted password has been around for at least 20 years.

Or are the attackers actually retrieving hashed passwords and then brute forcing them all back into what they think are the original strings somehow?
 
Most of these dumps usually contain many past dumps as well, as this one does from reading.
 
It always puzzles me how this happens. Like, why are they insisting on elaborate, impossible-to-remember strong passwords, and then storing them in the clear? The idea of hashing a salted password has been around for at least 20 years.

Or are the attackers actually retrieving hashed passwords and then brute forcing them all back into what they think are the original strings somehow?
Perception, they want people to think they are secure, with out doing the actual work to make it secure. This is why laws are required for companies to at least take a min. level of basic security around data and cyber insurance companies are also getting on board with this concept as it means they will pay out less, or nothing at all if company XYZ used the default passwords or didnt encrypt passwords.
 
Passwords don’t need to be complex, best password your have is a small phrase that you couldn’t forget if you tried. We all have one, 3-5 words long no machine is guessing that any time soon. But it’s all pointless if the sites shit security and crap IT store it plain text on a poorly configured AWS instance.

there really needs to be some sort of legal implications for these sorts of breaches. There is absolutely 0 reason to not be salting your databases at this stage.
 
Passwords don’t need to be complex, best password your have is a small phrase that you couldn’t forget if you tried. We all have one, 3-5 words long no machine is guessing that any time soon. But it’s all pointless if the sites shit security and crap IT store it plain text on a poorly configured AWS instance.

there really needs to be some sort of legal implications for these sorts of breaches. There is absolutely 0 reason to not be salting your databases at this stage.
"Please re enter your old password" ...Anus
"Please type your new password" ...Butt
 
Went through and changed the passwords that said they were breached. Luckily nothing major, mostly random forum accounts I haven't used in years.

Still, though, so many major companies with clown town security. If they were properly managed, the password hashes would be irrelevant (even if breached).

The hackers could still get some account info that was saved in plain text, but not the password. I agree there should be some recourse or penalty. This can't keep happening with no one being on the line.
 
Im actually in the process of slowly switching over to 2FA. Once i have everything i can on 2FA im going to switch off of the Google Authenticator and start using Yubikey.
 
so, I go to CyberNews/password-leak-check and then ENTER all my most secret coveted PW's and then THEY have them ... are they out of their minds or what? Yea, sure, let me enter all my passwords there, I'm sure those PW's will never ever get hacked or sold, not from that website because EVERYONE on the web is honest as the day is long.
Just when I start to begin to think, "Just how stupid can we really be" someone has to go and show me (or I wind up showing myself).

I won't use any PW checker online, seems foolish to do so all things considered, If you're worried about your PW getting out there you can just change your current PW but then, it might actually become a PW someone might immediately hack right after you change it :LOL: in other words ... the Internet is NOT a safe and secure place, never was, still is not and likely never will be.

Want peace of mind to thwart those who hack for a living? Go off the grid.
 
Last edited:
so, I go to CyberNews/password-leak-check and then ENTER all my most secret coveted PW's and then THEY have them ... are they out of their minds or what? Yea, sure, let me enter all my passwords there, I'm sure those PW's will never ever get hacked or sold, not from that website because EVERYONE on the web is honest as the day is long.
Just when I start to begin to think, "Just how stupid can we really be" someone has to go and show me (or I wind up showing myself).

I won't use any PW checker online, seems foolish to do so all things considered, If you're worried about your PW getting out there you can just change your current PW but then, it might actually become a PW someone might immediately hack right after you change it :LOL: in other words ... the Internet is NOT a safe and secure place, never was, still is not and likely never will be.

Want peace of mind to thwart those who hack for a living? Go off the grid.
lol you dont give the site your password. maybe read closer...

"Use a reputable data leak checker where you can enter your email address to find out if your account may have been caught in a breach. Sites worth trying include Have I Been Pwned, Firefox Monitor, and Avast Hack Check."
or
 
Passwords don’t need to be complex, best password your have is a small phrase that you couldn’t forget if you tried. We all have one, 3-5 words long no machine is guessing that any time soon. But it’s all pointless if the sites shit security and crap IT store it plain text on a poorly configured AWS instance.

there really needs to be some sort of legal implications for these sorts of breaches. There is absolutely 0 reason to not be salting your databases at this stage.
"Fuckthissite@nditspasswordrequ1rements"
 
This is probably a good time to mention our sponsor, https://www.lastpass.com , never forget your password again, and thwart hackers before they can get into your account.

No seriously. If you are not using a password manager, you will regret it. Give each site an impressively long random string of letters/numbers/symbols, and use a different generated password on every single site.

Even if one random forum gets hacked (and it will) the hackers won't have access to your email, bank account, paypal, etc. Also enable 2FA on any serious accounts (like your email, banks, etc.).

Nothing is bulletproof, but with good security you can make it tedious and troublesome for hackers, they will just go for easy targets instead. You think it won't happen to you but it's for real.
 
This is probably a good time to mention our sponsor, https://www.lastpass.com , never forget your password again, and thwart hackers before they can get into your account.

No seriously. If you are not using a password manager, you will regret it. Give each site an impressively long random string of letters/numbers/symbols, and use a different generated password on every single site.

Even if one random forum gets hacked (and it will) the hackers won't have access to your email, bank account, paypal, etc. Also enable 2FA on any serious accounts (like your email, banks, etc.).

Nothing is bulletproof, but with good security you can make it tedious and troublesome for hackers, they will just go for easy targets instead. You think it won't happen to you but it's for real.
My PW manager is a pen and paper in my back pocket! lol
OK OK, actually a fingerprint locked .txt file on my phone that I have yet to backup......
 
This is probably a good time to mention our sponsor, https://www.lastpass.com , never forget your password again, and thwart hackers before they can get into your account.

No seriously. If you are not using a password manager, you will regret it. Give each site an impressively long random string of letters/numbers/symbols, and use a different generated password on every single site.

Even if one random forum gets hacked (and it will) the hackers won't have access to your email, bank account, paypal, etc. Also enable 2FA on any serious accounts (like your email, banks, etc.).

Nothing is bulletproof, but with good security you can make it tedious and troublesome for hackers, they will just go for easy targets instead. You think it won't happen to you but it's for real.
What he said^^

Although I'm switching away from lastpass, I will continue using a separate, random, long-ass password for every site. At some point, I'll go through them all and update them, although I think it's mostly unnecessary except for financial sites.
 
Given the rate of breaches, combined with exponential increases in machine learning we should have a rainbow table which contains every conceivable password in every possible hash sooner rather than later. At that point the only secure password is Dog123 stored in plaintext because no one would believe it.
 
I should also mention that it's not just paranoia. I've had hackers clean out my bank account before (because I used a weak password on PayPal and it was linked to my bank account).

Also had my identity stolen. The hackers started opening credit accounts in my name, like 10 or 15 of them. They even walked into the Macy's store in New York City with a fake drivers license in my name to open a credit line.

That was madness trying to fix all that. Another word of advice, lock your credit. You probably only need your credit unlocked infrequently (like when buying a house, which doesn't happen often) and you can unfreeze it when needed.

It makes a huge difference, with a locked credit the hackers can't do anything, and the it would be really hard for them to answer all the security questions to try to impersonate you. Safety first.
 
If you happen to save your passwords in chrome it also checks to see if they are compromised if you go to the settings page for it.
 
If you happen to save your passwords in chrome it also checks to see if they are compromised if you go to the settings page for it.
Which you wonder how, they are taking the hash I presume and going against leaks, but if hashed and leaked = they know your password. Similar i guess to how Apple does it.
 
lol you dont give the site your password. maybe read closer...

"Use a reputable data leak checker where you can enter your email address to find out if your account may have been caught in a breach. Sites worth trying include Have I Been Pwned, Firefox Monitor, and Avast Hack Check."
or

there's also a link for a password checker over at CyberNews. It was in your original post ...

go to "contains 8.4 billion passwords" then scroll down and click on the link "leaked password checker" it's located right under the heading How to check if your password was leaked?
 
Last edited:
1623375675386.png


Guess I have to change my password, lol. You'd have to be a fool to enter your password into any site, no matter the claim.
 
there's also a link for a password checker over at CyberNews. It was in your original post ...

go to "contains 8.4 billion passwords" then scroll down and click on the link "leaked password checker" it's located right under the heading How to check if your password was leaked?
ah, thats a link from in the article. the first checker is an emailone, the second sure, dont put a password in.
 
there's also a link for a password checker over at CyberNews. It was in your original post ...

go to "contains 8.4 billion passwords" then scroll down and click on the link "leaked password checker" it's located right under the heading How to check if your password was leaked?
Ah, shit...they found the site I've been using to archive all the passwords I've stolen!
 
If you happen to save your passwords in chrome it also checks to see if they are compromised if you go to the settings page for it.
You can also export all of your saved Chrome passwords in a plaintext CSV with just verifying your admin password. I don't tend to save passwords in Chrome anymore for important stuff. Bitwarden does a good job, used to use LastPass but they charge now to use both desktop and mobile.
 
I think I checked that 'haveIbeenpwned' site a while back and some accounts I no longer use were breached. But for peace of mind I changed my e-mail address password for something with lots of special characters and capital letters, wrote it down on piece of paper and stored it with other important documents of mine. I guess it won´t do me much good if gmail is breached or any browser that I use and have it saved there, but at least if other accounts I have in different services get breached, it´s not the same password as my main e-mail account. I had been using the same password for almost everything for years, really bad practice.
 
This is probably a good time to mention our sponsor, https://www.lastpass.com , never forget your password again, and thwart hackers before they can get into your account.

No seriously. If you are not using a password manager, you will regret it. Give each site an impressively long random string of letters/numbers/symbols, and use a different generated password on every single site.

Even if one random forum gets hacked (and it will) the hackers won't have access to your email, bank account, paypal, etc. Also enable 2FA on any serious accounts (like your email, banks, etc.).

Nothing is bulletproof, but with good security you can make it tedious and troublesome for hackers, they will just go for easy targets instead. You think it won't happen to you but it's for real.
Not using any password managers that store things online.
 
It's inevitable that sites will get hacked.

Use a different password everywhere, you will be fine. You will get the occasional account info leaked and have 1 password to change instead of 30, and 1 exposure instead of 30. NEVER re-use a password.

I've got mine all written down, pen/paper. Email account passwords, bank account and paypal are all memorized. 2fa in places where it makes sense: Steam and other game stores, google accounts (phone), credit card sites, banks, cryptocurrency sites/wallets. You don't need 2fa on the Epic forums, etc.
 
I wish there was a way to just check the actual text file easily to see what user/pw combinations they have there, so I know whether or not I have to change them all.
 
I wish there was a way to just check the actual text file easily to see what user/pw combinations they have there, so I know whether or not I have to change them all.
I wanted this for a second then remembered its 100gb. Having tried to load a couple GB text file in the past, I doubt that would work out. It would have to be hosted on a site developed to present that to multiple users without issues. Does pastebin do that?
 
Back
Top