Originally published January 2010. Updated June 14, 2026.
The December 2009 RockYou data breach exposed 32.6 million user accounts stored in plain text by RockYou, then a Redwood City, California social-gaming and Facebook-widget company founded in 2005 by Lance Tokuda and Jia Shen. The leaked password list — published in full by hacker “igigi” on the same night as the breach and analyzed in detail by Israeli cybersecurity firm Imperva in January 2010 — became the foundational dataset for modern password security research and is still used as the reference wordlist for cracking, auditing, and policy work in 2026, including against the July 2024 RockYou2024 compilation that combined 10 billion unique passwords from breaches stretching back through the 2009 original.
The class-action lawsuit referenced in EPR’s original 2010 coverage at this URL — Alan Claridge v. RockYou Inc., filed in the Northern District of California — settled in 2011 with $250,000 in attorneys’ fees and no monetary recovery for affected users beyond limited site credits. The Federal Trade Commission separately settled with RockYou in 2012 for $250,000 and a 20-year audit consent decree. The legal outcomes were small. The downstream effect on the global password-security landscape was structural.
What RockYou Was and Why the Breach Mattered
RockYou launched in 2005 as a Facebook widget developer — slideshow tools, photo widgets, and the Super Wall app that competed with Facebook’s native Wall function. The company pivoted to social gaming after Facebook’s 2007 platform launch and at peak ran games including Zoo World and the Friends for Sale virtual-economy game. By 2009 RockYou reported approximately 100 million registered users. The platform stored user passwords in plain text in its MySQL database — a practice already substantially out-of-line with industry standards in 2009, when password hashing (typically with bcrypt or SHA-1) was the established norm.
On December 14, 2009, hacker “igigi” exploited a 10-year-old SQL injection vulnerability on RockYou’s servers and exfiltrated the full user table. The 32.6 million plain-text passwords were posted publicly the same evening. Imperva’s analysis, published January 21, 2010, became the most-cited password-research paper of the modern internet era. Imperva researcher Amichai Shulman documented that the most common password was “123456” (used by approximately 290,000 accounts), that 50% of passwords were 7 characters or fewer, that “password” ranked fourth, and that the top 5,000 passwords collectively represented 20% of the entire user base.
The Imperva paper put numbers on what password-security practitioners had argued for years without empirical backing. Until December 2009, password-strength claims were hypothetical. After the RockYou disclosure, every claim in the field could reference a real-world dataset of 32 million passwords from real users on a real consumer service.
How the RockYou List Reshaped Password Security
The RockYou wordlist — now standardly called rockyou.txt and packaged by default with the Kali Linux penetration-testing distribution — became the world’s primary dictionary for password-cracking work. Five things changed structurally.
One. Hashing went from best-practice to baseline. Storing passwords in plain text became indefensible in any consumer service after the RockYou disclosure. The bcrypt, scrypt, and Argon2 algorithms that had been advanced password-hashing options became the floor. By 2012, plain-text password storage was per se grounds for FTC unfair-practice action in the United States.
Two. Common-password blocking entered consumer products. Google, Microsoft, Apple, and Facebook all began using lists derived from rockyou.txt to reject the most common passwords during account creation. The NIST Special Publication 800-63B password guidelines, updated in 2017, formally recommended blocking against compromised-password lists.
Three. Have I Been Pwned and the compromised-password ecosystem emerged. Australian security researcher Troy Hunt launched Have I Been Pwned in December 2013, partly in response to the cumulative effect of RockYou and subsequent breaches. The service now tracks more than 14 billion compromised accounts across 800+ breaches and is integrated into 1Password, Mozilla Firefox, and Apple iCloud Keychain as a real-time compromised-credential check.
Four. Password reuse became the central enterprise security problem. The RockYou disclosure made it trivially easy to test whether a password used on RockYou had been reused elsewhere. The credential-stuffing attack pattern — where attackers replay leaked credentials against unrelated services — became the dominant account-takeover technique by 2014 and remains so in 2026.
Five. Multi-factor authentication moved from optional to expected. The structural lesson from RockYou — that any single credential could leak, and credential reuse meant one leak became many compromises — drove the broader adoption of two-factor and multi-factor authentication. By 2024, most major consumer services had moved to MFA-by-default.
The 2024 RockYou2024 Compilation
On July 4, 2024, a user posting as “ObamaCare” on the BreachForums hacking forum released a 45-gigabyte file titled rockyou2024.txt, containing 9,948,575,739 unique plain-text passwords compiled from breaches spanning 2009 to 2024. The name was a deliberate echo of the original 2009 wordlist and of rockyou2021.txt, an earlier 8.4 billion-password compilation. The 2024 release expanded that base by 1.5 billion previously-unseen passwords.
The compilation is not itself a breach. It is an aggregation of password material from hundreds of previous breaches — LinkedIn (2012, 117 million passwords), Adobe (2013, 153 million), Yahoo (2013–2014, 3 billion accounts), MyHeartbeat, Twitter, Facebook, and so on. The aggregation matters because it gives every attacker the same dictionary against which to run credential-stuffing attacks. The recommended response from CISA, the FBI, and most enterprise security teams was the same one prompted by the original 2009 disclosure: enforce unique passwords, enable MFA, and run compromised-credential checks against employee logins.
What Happened to RockYou the Company
RockYou pivoted multiple times after 2009. The company shifted from Facebook widgets to social gaming, then to mobile advertising under the RockYou Media brand. RockYou was acquired by Tapjoy in 2011. By the late 2010s, the consumer-facing RockYou brand was effectively dormant; the asset value rested in legacy game portfolios.
The 2012 FTC consent decree required RockYou to implement a comprehensive data-security program, undergo biennial third-party security audits for 20 years, and pay $250,000 in civil penalties. The settlement also included specific provisions on children’s privacy — the FTC had separately charged RockYou with COPPA violations for collecting personal information from children under 13 without parental consent on widget products.
The Communications Lesson From RockYou
For communications operators, RockYou is a teaching case in four specific areas.
One. Technical-security failures become reputational events that outlive the company. RockYou the company is effectively gone, but rockyou.txt the wordlist is more relevant in 2026 than in 2010. The brand cannot escape the file.
Two. The disclosure timeline matters as much as the breach scope. RockYou’s public response to the December 2009 breach was slow and minimal — the company initially declined to confirm details, then released a brief acknowledgment several days later. The vacuum allowed the security-research community to define the narrative. Modern breach-disclosure regulation — including the SEC’s December 2023 cybersecurity disclosure rule requiring 8-K filings within four business days — codifies the lesson the RockYou response missed.
Three. Class-action exposure is now structural for any consumer data business. The Claridge v. RockYou case established the modern template for breach class actions. By 2026, almost every major U.S. data breach is followed by class-action filings within 14 days of public disclosure, and the median settlement has grown from RockYou’s $250,000 to seven and eight figures in recent cases (Equifax: $700 million; T-Mobile 2021 breach: $350 million; Capital One 2019: $190 million).
Four. Regulatory exposure compounds. The FTC consent decree, the state AG investigations that followed in California and other jurisdictions, the COPPA charges — each followed independently from the same underlying incident. Communications operators planning breach-response need to plan for the full regulatory cascade, not just the initial disclosure.
Frequently Asked Questions About the RockYou Breach
How many users were affected by the 2009 RockYou breach?
The breach exposed 32.6 million user accounts. All passwords were stored in plain text and were posted publicly the same night by hacker “igigi.” The exploit was a 10-year-old SQL injection vulnerability on RockYou’s servers.
What is rockyou.txt?
rockyou.txt is the wordlist derived from the December 2009 RockYou breach — 32.6 million passwords from real consumer users. It is packaged by default with the Kali Linux penetration-testing distribution and remains the standard reference dictionary for password-cracking, auditing, and security research in 2026.
What was the RockYou settlement?
The Claridge v. RockYou class action settled in 2011 with $250,000 in attorneys’ fees and no monetary recovery for affected users. The Federal Trade Commission separately settled with RockYou in 2012 for $250,000 in civil penalties and a 20-year audit consent decree, with additional charges for COPPA children’s privacy violations.
What is RockYou2024?
RockYou2024 is a 45-gigabyte compilation containing 9,948,575,739 unique plain-text passwords from breaches spanning 2009 to 2024. It was posted on the BreachForums hacking forum on July 4, 2024, deliberately named after the 2009 wordlist. It is the largest single password compilation in circulation.
What changed in password security because of RockYou?
Plain-text password storage became indefensible in consumer services. Common-password blocking entered consumer products. Have I Been Pwned launched in 2013. Credential-stuffing became the dominant account-takeover technique. Multi-factor authentication moved from optional to expected.
What was the most common password in the RockYou data?
“123456” was the most common password, used by approximately 290,000 of the 32.6 million accounts. “password” ranked fourth. The top 5,000 passwords collectively represented 20% of the entire user base.
Related coverage on Everything-PR:
