Hacking into an account doesn’t always require deep expertise in exploiting vulnerabilities. Sometimes it’s a simple as taking leaked information and placing it elsewhere on the internet. That’s why the release of massive password collections are dangerous—and why alarms are now sounding over a drop of nearly 10 billion passwords.
First spotted in a forum on July 4, RockYou2024 is a compilation of 9.94 billion leaked passwords. The massive password dump includes entries from the collection, data from newer breaches and leaks, and data cracked by the person who posted it. RockYou2021 released with 8.4 billion password entries, including millions related to social media sites. For comparison, the Mother of All Breaches contained 26 billion pieces of personal data that included information beyond passwords.
You can read up on the full details of RockYou2024 in , but this discovery’s biggest takeaway is that everyone should shore up their account security right away. If you haven’t changed your passwords for compromised accounts (especially after the big Ticketmaster breach in late May), or if you reuse passwords, you could become an easy victim of credential stuffing—which is when someone tries your leaked login info across the web, and sees what accounts they can get into.
To better protect yourself, take these steps:
- Use a unique, random, and strong password for each account. Character strings that can’t be easily guessed are the way to go—think along the lines of pastaturnfriendlyamalgamation20, rather than gu3$$this.
- Set up a password manager. Good passwords can be hard to remember, especially if you’ve got many to keep track of. A password manager can help you keep track of your whole collection, and simplifies entering longer, complex ones into login forms. Dedicated password managers are more flexible and have more features, but the ones included with an antivirus suite or even Apple, Google, and Microsoft’s built-in password managers are helpful. (Just be sure to separately memorize your email password.)
- Add two-factor authentication to your accounts where available. You’ll have another layer of protection to thwart credential stuffing attacks. Because they can’t pass that second security check, hackers can’t login as you. These days, one-time passcodes generated by an app best balance simplicity and security, but you can also use hardware dongles as a stronger option.
- Upgrade to passkeys. Two-factor authentication improves password security, but it’s not fool-proof, since some 2FA methods are vulnerable to phishing attacks. You can sidestep this issue by using passkeys to log into an account instead. Due to how they’re designed, they inherently unique, don’t require you to memorize any information, and can’t be phished. If a hacker steals a website’s customer login info, that data can’t be used to get into that site or others.
I personally recommend switching to passkeys whenever possible—they require much less thought or effort than passwords. All you need is a good backup for your passkeys (in case you lose your phone or PC, which is where they’ll be stored). Good news is, many major password managers now let you store passkeys on them, too.