RockYou2021: 8.4 Billion Passwords Leaked


June 8, 2021


A 100GB text file has been leaked on the dark web and it contains 8.4 BILLION passwords.  I’ll say again…ugh.

According to a report by, the passwords included are all between 6-20 characters long with non-ASCII characters and white spaces removed.

We highly recommend you check to see if your password is included on this list. You can use this tool provided by Cybernews or the services offered by Have I Been Pwned. Integris also offers a Dark Web Scan for businesses emails which you can sign up for, free of charge.

Otherwise, here are 7 things you can do to protect yourself moving forward:

  1. See if Your Email Has Been Leaked – As mentioned above, there are a few ways for you to do this. If you’re looking at doing this for your own, personal email account I’d recommend a site like Have I Been Pwned. You just go on there, type in your email address and it’ll show you where your email has been exposed. If you’re looking for a professional level scan I’d recommend you sign-up for our FREE dark web scan. That’ll show you what emails were compromised, where they were compromised, whether or not the password was compromised along with the email address. Honestly, you never know what you’re going to find when you run something like this, it can be an eye-opening experience, to say the least.
  2. Start Changing those Passwords –  73% of online accounts are protected by duplicate passwords. 47% of people have been using the same password for 5 years or more. If you’re like most folk, you’ve probably used the same password multiple times and for years. The longer you use a password and the more instances of use, the more likely it is to be compromised. Most web browsers will show you if you’re using the same password for multiple accounts.
  3. Use Complex Passwords – The National Institute of Standards and Technology (NIST) recommends you use a minimum of at least 8 characters (and a maximum of 64). Obviously, we don’t recommend you use all 64 characters (you’ll never remember them), but we do recommend using something above the minimum. 10 or 12 characters should do the trick. Passwords can (and should) include any and all printing characters (ASCII) or Unicode characters so there are plenty of combinations available for you to choose from but that leads us to our next point… 
  4. Use a Password Manager – Each and every password should be unique. That much is true. But if you’re anything like me and you’re logging into multiple sites and services every day there’s no way you’re remembering each and every unique password. That’s where a Password Manager comes in. If you’re not familiar with the concept, it’s pretty straight forward: a password manager manages your passwords. A good password manager helps you both generate secure passwords and access them when you need them. It’s much easier to remember one unique, strong password that grants you access to your password manager than it is 10, 50 or 100 for each site or service you use. You can even lock most with a Yubi key, allowing for added biometric security. We’re personally really big fans of LastPass, which you can find more information about here.
  5. Cut Back on the Site and Services You Use – If you’re anything like me and sometimes try out services without really thinking of the ramifications, you should probably take a minute or two to stop and think about what you’re doing before you click submit on that sign-up form.
  6. Use a Burner Email – If you really must have the latest and greatest toy (or software/service) on the market but you’re cautious of dolling out valuable PII, create a burner account via a free service like Gmail. Make it specific to the service and don’t give out your real name when filling out the profile. Since you’re not really volunteering any PII you’re probably safe using a burner password as well, something that’s easy to remember and you don’t care if gets stolen. Just make sure you’re not protecting something important with the same one.
  7. Ask for Approval Before Using your Work Email – Anytime you use a work email address to sign up for a site/service think about who you might be compromising beyond yourself. There’s a good chance the email you’re using doesn’t really belong to you. It belongs to the company you’re working for, and as a result, impacts your employer directly if you get hacked or phished because of leaked credentials. If you’re looking to try something new ask somebody above you if the service/site is right for your company before you sign up. Like I said above, stop and think before you sign up for something. If it’s not going to benefit your employer or improve your workflow don’t use your company email address when signing up for it. Also, think before you sign up for a site/service with your company email address that’s TOTALLY unrelated or inappropriate to use your work email address for.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Carl Keyser is a Digital Marketing Specialist at Integris.

Keep reading

How the Best IT Companies in Minnesota Support the Hybrid Workforce

How the Best IT Companies in Minnesota Support the Hybrid Workforce

After the initial shutdowns and stay-at-home orders lifted following COVID-19, workers throughout the United States and Minnesota decided that the work-from-home model was here to stay. It makes sense -- working from home offers a lot of convenience to your team – and...

Do I Need To Improve My Endpoint Protection?

Do I Need To Improve My Endpoint Protection?

A compromised endpoint gives hackers everything they need to get a foothold in your security network. Once there, they can steal data and potentially hold it for ransom. That’s why it’s so important for business owners to secure their critical endpoints (including...

Multi-Factor Authentication

Multi-Factor Authentication

Granting access to information is a necessity, as is security for both the user needing access and for the information for which access is being granted. The best way to handle this is by establishing user accounts for users. This does several things at once: Allows...