• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
Restore Privacy

Restore Privacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Runbox Review
    • CTemplar Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • NordVPN vs PIA
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • Surfshark vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

No, You Don’t Need to Worry About the RockYou2021 “Password Leak” – Here’s Why

June 10, 2021 By Sven Taylor — 6 Comments
Password RockYou2021 leak

Over the past 48 hours, we have been watching the news about the RockYou2021 “Password Leak” blowing up in the media. Unfortunately, there are many misconceptions about this so-called “leak” floating around, so let’s take a closer look and examine the facts.

But before we dive in, let’s cover a quick background of the story.

What started this news frenzy was this post on a hacking forum claiming to offer billions of passwords:

RockYou2021 Password breach
This is the original post on a hacker forum that resulted in a news frenzy about billions of passwords.

As you can see in the screenshot above, the user is offering a combination of existing lists, as well as data from “other lists” that are not specified.

Following this post, news outlets began trumpeting stories about 8 billion passwords being leaked online, or “the mother of all password leaks, with billions of credentials exposed” according to Yahoo and others.

But is this really the case?

Answer: No. Here are the facts.

A giant list of words – NOT new passwords

As you can see in the original forum post above, the user was simply posting existing lists from various sources. In other words, these are not new, real-world passwords, but instead mostly wordlists from sources like Wikipedia.

To see this, we only need to look at the sources that the user included in the list:

  • The Crackstation.net Dictionary – This contains every wordlist, dictionary, and existing password leak data, as well as every word in Wikipedia and words from Project Gutenberg. In short, this is a giant list of words, with a few old passwords mixed in.
  • The Hack3r Wikipedia Wordlist – Again, just another giant wordlist from Wikipedia.
  • Daniel Meissler’s SecLists on Github – This includes common credentials, words, permutations, default credentials, as well as some existing credentials from leaks and honeypots.
  • Berzerk0’s Probable Wordlists on Github – This includes existing passwords and dictionaries.
  • The Weakpass list – Another compilation of wordlists and existing passwords.
  • Data from COMB – This is the Combination of Many Breaches, which is another combination list that includes some existing passwords.

As you can see, there is no new data here and no new credentials being exposed or “leaked” to the public. This is merely a list that combines existing lists. And what’s more, it is composed mostly of wordlists.

Nothing new or unique

As you have probably gleaned by looking at the actual sources of this so-called leak, there is actually nothing new or unique being offered here. So why is anyone sounding the alarm, and how did this become news?

Even calling this “RockYou2021” is a stretch, because there is no new information, unlike the original Rock You leak in 2009. Troy Hunt, the security expert behind the Have I Been Pwned project, took to Twitter to put this so-called “password leak” into context. He also explained why he will not be adding any of the data to his own lists:

Troy Hunt on RockYou2021 Password Breach

This leads us to our next question.

Is the data even useful?

If you were a threat actor looking for an actual list of passwords to exploit, then no, this “leak” would not be very useful.

However, this list could be useful for a dictionary attack, simply because it compiles a giant list of words. And this is exactly what the user on the hacker forum posted in his opening sentence: “should be good for a dictionary attack.” (For those wondering, a dictionary attack is simply using words from a dictionary as potential passwords when trying to gain access to an account.)

So if this leak is mostly a giant list of words, and does not contain any new compromised passwords, then how did this story explode? Why do we find Yahoo telling people, “If you’re reading these words, suffice it to say you probably need to change your passwords.”

You should already be using strong, unique passwords

For years we’ve been discussing the importance of using strong, unique passwords. We have a basic guide on how to create strong passwords, which is a good refresher. And of course you should not be recycling passwords for different websites and accounts. This could give someone access to everything you secure with the common password (if it were to be compromised somehow).

And if you find the thought of managing lots of complex passwords daunting, there are some great tools for that, too. Enter the password manager. A good password manager will not only store all your passwords in a secure location, but it can also help you generate secure passwords.

For example, we’ll look at Bitwarden, which is a free and open source password manager. With it, you can generate complex, unique, and secure passwords with the click of a button, as you can see here:

Password Generator

And for more info on this topic, check our guide on password managers here.

Lastly, if you are concerned about your passwords being exposed or leaked, you can always check out the Have I Been Pwned passwords page to see.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. BoBeX

    June 13, 2021

    Misleading and alarmist privacy messaging is extensive.
    I believe many people are genuinely concerned about there privacy yet the information “out there” is so hard to trust and digest; and many people don’t have the time to investigate.
    Unnecessary alarmist headlines/shares is only going to exhaust the little time and attention ordinary people have to turn towards their genuine concern for privacy.

    Ordinary people with genuine concern only need gentle guidance and pointers towards the simple steps to decrease there own privacy risk.

    Another fantastic article by RP. Sven an team are fantastic privacy communicators.

    Reply
  2. Sandi

    June 11, 2021

    Question. Does this leak make our passwords any easier to crack by the bad guys?

    Reply
    • Sven Taylor

      June 11, 2021

      Nope, nothing changes, this wasn’t a leak, and no new passwords were even compromised. It’s all just old data and LOTS of random words.

      Reply
  3. Tom Griner

    June 10, 2021

    I think I first saw this on cyber news. It doesn’t add up. Do the math.

    And why didn’t any tech journalists just look at WHAT is in this breach before shouting “OMG BILLIONS OF PASSWORDS ARE LEAKED!” and all the other stupid headlines.

    Reply
    • Anon

      June 11, 2021

      Because tech journalism today is not much more than clickbait headlines.
      And most people are too dumb to understand what’s really going on here. Heck, most people don’t even know how to create a secure password, so let’s get real. Yes, I’m cynical.

      Reply
      • P.

        June 12, 2021

        I agree. Catchy headlines attract more users, so more user data is being harvested, more users potentially clicking on adds. The content should make an impression it’s credible 🙂

        Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browsers
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN (68% Off Coupon) or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

Restore Privacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

Restore Privacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP