Credential Attackshigh

RockYou: 32 Million Plaintext Passwords Teach the World About Password Storage

A SQL injection attack against social game developer RockYou exposed 32 million user passwords stored in a MySQL database in plaintext — no hashing, no encryption. The dump became the most important password dictionary in security research history.

RockYou·2009·2 min read

Background

RockYou was a social game company that operated applications on Facebook and MySpace. In 2009 they had approximately 32 million registered users. Their database was secured poorly — MySQL with an old version vulnerable to SQL injection, and passwords stored in plaintext.

The Attack

A single SQL injection vulnerability in RockYou's website gave an attacker access to the MySQL database. The attacker extracted the entire user table containing usernames (email addresses) and passwords in plaintext — no hashing, no salting, no encryption. The dump was posted to hacker forums. Analysis revealed the most common passwords: "123456," "12345," "123456789," "password," "iloveyou" appearing hundreds of thousands of times.

Response

RockYou notified its users and reset passwords. The company faced class action lawsuits and FTC investigation. The raw password dump was published widely and has been used in security research ever since. It became the seed for the rockyou.txt wordlist, still a standard tool in password auditing.

Outcome

The rockyou.txt wordlist derived from this breach became the most widely used password cracking dictionary in history, used in every subsequent credential attack. The breach directly demonstrated that the most common passwords were absurdly weak and that plaintext storage was a catastrophic failure. It influenced every subsequent discussion of password policy.

Key Takeaways

  1. Passwords must never be stored in plaintext — always use a purpose-built password hashing function
  2. Password policy must prohibit common passwords — rockyou.txt is in every attacker's toolkit
  3. SQL injection remains one of the most prevalent web vulnerabilities — parameterised queries are mandatory
  4. A single breach's password data can be weaponised against other services for years via credential stuffing

How to Prevent This

All guides
beginnerfeatured

Never store passwords with MD5, SHA-1, or SHA-256 — use bcrypt, scrypt, or Argon2

Password hashing is not encryption — it is a one-way function designed to be slow. MD5 and SHA-1 are fast hash functions designed for checksums, not security. A modern GPU can crack billions of MD5 hashes per second. The RockYou breach exposed 32 million passwords in plaintext; the LinkedIn breach exposed 117 million SHA-1 hashes that were cracked within days. Use bcrypt (minimum cost factor 12), scrypt, or Argon2id — purpose-built password hashing functions with tunable slowness. Bcrypt's use in the Slack breach meant their stolen hashes provided negligible value to the attackers despite the database being fully compromised.

See: RockYou BreachData Protection
plaintext passwordsSQL injectionrockyou.txtpassword policycredential dump

More in Credential Attacks

2024critical

Snowflake Credential Theft: Ticketmaster, AT&T, and 160 Others Breached via Stolen Logins

2 min readCredential Attacks
2012high

Dropbox 2012: 68 Million Passwords Exposed Because an Employee Reused a Password

2 min readCredential Attacks
2019high

Collection #1: 773 Million Unique Credentials Dumped in One Post

2 min readCredential Attacks