June 9: No, there’s no evidence a hack called RockYou2021 exposed 8.4 billion passwords

This week the world saw the return of a depressing routine: new breathless headlines about another data breach

Also depressingly unsurprising? The claim of “8.4 billion leaked passwords” spread like wildfire among particularly shameless blogs and even a couple tabloids and majors; the hack was “jaw-dropping” according to The Express, and “the mother of all password leaks” according to Yahoo! News.

The least surprising part? The evidence is about as strong as the password 1234.

Here’s the deal: a source for a lot of the claims about RockYou2021 echoing around the scaremongering fringe of mainstream media seem to come from a single website called CyberNews based in Lithuania. The site has a generally professional appearance, but the content isn’t terribly deep or academic, and it discloses clearly that it receives “affiliate commissions” from clicked links on the site, though plugs are subtler than some sites I’ve seen.

(Photo credit: cybernews.com)

Me, I generally trust experts like Troy Hunt over sites like CyberNews. He’s a cybersecurity lecturer, founder of a browser analytics service and creator of a password-checking website everyone should bookmark called haveibeenpwnd.com. He says the hysteria about RockYou2021 is just another example of shoddy tech reporting in the age of peak news: “It’s like people don’t read stories before sharing them,” he said on Twitter.

“[I’m] still really surprised this has made headlines and been shared to the extent it has,” he continued. “[I’m] tempted to add a 1 to the end of each ‘password,’ join it back to the original list and ship it to the media as 16.8 [billion] passwords!”

I’m tempted too, because Hunt and others say RockYou2021 (to the extent that it‘s real) is almost certainly just an aggregated password crack list — a haphazard compilation of the big password leaks floating around on the internet. This isn’t new — some, like the original rockyou.txt, have notorious reputations more than a decade old.

It’s possible this “leak” was named hoping for a drop of some of the original rockyou’s notoriety. But “unlike the original 2009 RockYou data breach and consequent word list… [RockYou2021]’s not a list of real world passwords compromised in data breaches, it’s just a list of words and the vast majority have never been passwords… among other things, it contains ‘every word in the Wikipedia databases’ and words from the Project Gutenberg free ebook collection.”

An ad for purported Yahoo passwords on a dark web marketplace — an example of how leaks from a breach can circulate and recirculate. (Photo credit: Gigazine)

For their part, our pals at CyberNews are hard at work “currently uploading the password entries from the RockYou2021 compilation,” and urge you to check their leaked password checker daily for updates. Is the situation really that dire? “Not by a long shot,” says Hunt.

“Just do the maths: about 4.7 [billion] people use the internet. They reuse passwords like crazy not just across the services each individual uses, but different people use the same password.” Breaches are real, and make big headlines when they happen, but “only a small portion of all the services out there have been breached.”

Hunt urges us to keep in mind how far web security has come; even just ten years ago it wasn’t nearly as standard to salt and hash passwords. These days a few thousand rounds of PBKDF2 is practically liberal. The pool of possibly exposed usable passwords has dried up, Hunt says, because “the increasing prevalence of stronger password hashing algorithms in data breaches make it harder to extract plain text passwords for use in lists like this.” To put it bluntly: there probably aren’t 8.4 billion passwords in total, “let alone breached, cracked and in a single list.” That cutting-edge CyberNews password checker? It’s probably no different from haveibeenpwnd.com — or zillions of other password checkers just a Google search away. A good coding bootcamp grad could slap one together in an afternoon.

Password crackers are nearly as old as the internet, and they’re not as sophisticated as many seem to think. Changes in routine security have left crackers like Brutus, pictured above, obsolete. (Photo credit: Darknet.org.uk)

I won’t draw conclusions about intentions over at CyberNews — legally, I mean. I won’t say, for example, that CyberNews is shamelessly and cynically taking advantage of a cyber-illiterate public and the ethical bankruptcy of modern journalism. Nor will I say they’re doing it by stirring up baseless panic and fear to attract clicks, or maybe to direct business to a cybersecurity firm staffed entirely by Lithuanian basketball players. But I will share my personal takeaway from this debacle:

  • Ethical reporting standards go out the window in tech journalism, even at “reputable” publishers or broadcasters
  • A person or entity claiming “cybersecurity expertise” may be trying to sell you something you don’t need
  • Proper password hygiene and basic cybersecurity best practices are a lot more effective than running frantically to a password checker whenever a “data breach” is revealed
  • CyberNews is definitely staffed entirely by Lithuanian basketball players

Oh geez, Josh Frank decided to go to Flatiron? He must be insane…