Case Study 14.1: The RockYou Breach — 32 Million Plaintext Passwords and the Birth of a Wordlist

Overview

In December 2009, a SQL injection vulnerability in the website of RockYou, a company that developed widgets and applications for social media platforms like Facebook and MySpace, led to the exposure of approximately 32 million user credentials. What made this breach uniquely significant was not its scale—though 32 million records was enormous for the time—but the fact that RockYou stored every single password in plaintext. No hashing. No encryption. No salting. Just raw passwords sitting in a MySQL database, waiting to be read.

The leaked database became the RockYou wordlist—a file containing 14,344,392 unique passwords that remains, over fifteen years later, the most widely used wordlist in password cracking. It ships by default with Kali Linux and is the first tool every penetration tester reaches for when cracking hashes. The RockYou breach is a case study in catastrophic password storage failure and a permanent monument to what happens when organizations treat password security as an afterthought.

The Company and the Vulnerability

RockYou's Business

RockYou was founded in 2005 in San Francisco. The company created widgets, games, and applications for social media platforms—Facebook slideshows, MySpace page decorations, and similar products. By 2009, RockYou claimed over 100 million active monthly users across its various applications.

To use RockYou's applications, users created accounts with email addresses and passwords. Many users, following the common (and dangerous) practice of password reuse, used the same credentials as their primary email accounts, social media profiles, and other services.

The SQL Injection Attack

The breach was carried out by a hacker using the handle "igigi," who discovered a SQL injection vulnerability in RockYou's website. SQL injection is one of the most basic web application vulnerabilities—it occurs when user input is incorporated directly into SQL queries without proper sanitization.

A simplified illustration of the vulnerability:

-- Vulnerable query (PHP pseudocode)
$query = "SELECT * FROM users WHERE username = '" + $user_input + "'";

-- Normal input: admin
-- Resulting query: SELECT * FROM users WHERE username = 'admin'

-- Malicious input: ' OR '1'='1' --
-- Resulting query: SELECT * FROM users WHERE username = '' OR '1'='1' --'
-- This returns ALL users in the database

-- Data extraction: ' UNION SELECT username, password FROM users --
-- This extracts all usernames and passwords

The attacker used SQL injection to extract the entire user database, including all 32 million email addresses and their associated plaintext passwords.

The Plaintext Storage Catastrophe

When security researchers analyzed the leaked database, they were shocked to discover that passwords were stored in plaintext. This violated even the most basic security practices of the time:

• No hashing — Passwords were not passed through any hash function
• No encryption — Passwords were not encrypted in any way
• No salting — Obviously irrelevant when there is no hashing
• No access controls — The database was accessible through the web application's SQL injection vulnerability

RockYou's engineering team had made the most fundamental possible mistake in password storage. Even MD5 hashing—considered weak by 2009 standards—would have provided some protection. bcrypt, which was already well-established by 2009, would have made the breach's impact dramatically smaller.

Analysis of the Leaked Passwords

What 32 Million Passwords Revealed About Human Behavior

The RockYou database provided an unprecedented window into how people actually choose passwords. Security researchers analyzed the data extensively, revealing patterns that continue to inform both attacks and defenses:

The Most Common Passwords:

Nearly 1% of all users chose "123456" as their password. The top 20 passwords accounted for over 800,000 accounts—approximately 2.5% of all users.

Password Length Distribution:

The most common length was 8 characters, suggesting that minimum length requirements (when present) were treated as the target length rather than a floor.

Character Set Usage:

Only 3.2% of passwords included special characters, and only 8.3% mixed uppercase and lowercase letters. The vast majority used only lowercase letters and/or digits.

Common Patterns:

• Names — First names (often the user's own or a loved one's) were extremely common
• Dates — Birthdays and anniversaries in various formats
• Keyboard patterns — qwerty, asdf, zxcvbn, and their variants
• Pop culture — Movie characters, band names, sports teams
• Simple substitutions — p@ssw0rd, l0v3, s3cur1ty (easily handled by cracking rules)
• Sequential/repeated — 111111, aaaaaa, 123abc

The Enduring Impact on Password Cracking

The RockYou wordlist transformed password cracking methodology:

Before RockYou: Password crackers relied on generic dictionaries (English words, names) with manual rule sets. Wordlists were small, academic, and often poorly representative of actual password choices.

After RockYou: Crackers had a statistically validated model of human password behavior. The RockYou wordlist, combined with rule-based mutations, could crack a significant percentage of any password database in hours.

Practical demonstration with Hashcat:

# Using the RockYou wordlist against NTLM hashes
# This single command typically cracks 30-60% of passwords
# in most organizations within minutes to hours
hashcat -m 1000 -a 0 target_hashes.txt /usr/share/wordlists/rockyou.txt

# Adding rules dramatically increases coverage
hashcat -m 1000 -a 0 target_hashes.txt /usr/share/wordlists/rockyou.txt \
  -r /usr/share/hashcat/rules/best64.rule

# This typically pushes cracking rates to 50-80%

Lessons for Password Security

1. Never Store Passwords in Plaintext

This should be obvious, but the lesson bears repeating because plaintext storage continues to appear in breach disclosures. In 2019, Facebook disclosed that hundreds of millions of passwords had been stored in plaintext in internal logs. In 2021, Robinhood disclosed plaintext password storage for a subset of users.

The correct approach: Use a purpose-built key derivation function—Argon2id, bcrypt, or scrypt—with appropriate cost parameters and unique salts per user.

2. SQL Injection Is Still Devastating

The attack vector—SQL injection—was well-understood and easily preventable in 2009. Parameterized queries, input validation, and web application firewalls all defend against it. Yet SQL injection remains in the OWASP Top 10 today.

The correct approach: Use parameterized queries (prepared statements) for all database operations. Implement input validation. Deploy a web application firewall. Conduct regular security assessments.

3. Password Reuse Amplifies Every Breach

Many RockYou users used the same password for their email, social media, banking, and other accounts. The RockYou breach did not just expose RockYou accounts—it exposed credentials that worked on dozens of other services for each affected user.

The correct approach: Educate users about password reuse risks. Deploy enterprise password managers. Implement multi-factor authentication. Monitor for credential exposure in breach databases.

4. Human Password Behavior Is Predictable

The RockYou analysis conclusively demonstrated that humans are predictable password choosers. Even when complexity requirements are imposed, users find the minimal compliant pattern and stick with it. This predictability is what makes password cracking so effective.

The correct approach: Accept that user-chosen passwords will be weak. Compensate with: breach screening (reject known-compromised passwords), multi-factor authentication, and eventually passwordless authentication.

Relevance to MedSecure

For MedSecure Health Systems, the RockYou lessons are directly applicable:

1. Audit all password storage — Are any MedSecure applications storing passwords in plaintext or with weak hashing? Legacy healthcare applications, custom in-house tools, and vendor systems should all be audited.

2. Check for credential exposure — Have any MedSecure employees' credentials appeared in known breaches? Services like HaveIBeenPwned can check organizational domains.

3. Password policy effectiveness — If MedSecure's password policy produces passwords similar to the RockYou distribution (mostly 8 characters, lowercase with digits), a password audit will reveal widespread weakness.

4. SQL injection testing — RockYou was compromised through one of the most basic web vulnerabilities. MedSecure's web applications, patient portals, and APIs must be tested for injection vulnerabilities.

Discussion Questions

1. RockYou stored passwords in plaintext in 2009, when secure hashing was well-established best practice. What organizational factors lead to such fundamental security failures?

2. The RockYou wordlist is now used universally by both attackers and defenders. Has its public availability made the internet more or less secure overall?

3. Fifteen years after RockYou, password reuse remains rampant. What will it take to change this behavior? Is technology (password managers, MFA) or education the answer?

4. If you discovered during a MedSecure penetration test that a custom healthcare application stored passwords in plaintext, how would you prioritize and report this finding?

5. The top 10 RockYou passwords are trivially guessable. Should organizations reject any password that appears in the RockYou list? What are the usability implications?

References

• Cubrilovic, N. (2009). "RockYou Hack: From Bad to Worse." TechCrunch.
• Imperva. (2010). "Consumer Password Worst Practices: Analysis of the RockYou Hack."
• Weir, M., Aggarwal, S., de Medeiros, B., & Glodek, B. (2009). "Password Cracking Using Probabilistic Context-Free Grammars." IEEE Symposium on Security and Privacy.
• Verizon. (2024). "Data Breach Investigations Report."
• Hunt, T. (2018). "Have I Been Pwned: Largest Ever Collection of Breached Data Found." troyhunt.com.
• NIST. (2017). "SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management."