The "largest password collection of all-time" was leaked onto the internet this week, but some experts are downplaying its significance, saying nothing in it is actually new.
Dubbed 'RockYou2021', the 100-gigabyte text file appeared on a hacker site RaidForums earlier this week. Its name is a reference to a 2009 data breach of social app RockYou, in which 32 million user account names and passwords were leaked online - then one of the biggest ever.
The RockYou2021 document contains 8.4 billion entries, CyberNews reported, making it more than twice as big as the previous password leak - February's 'Compilation of Many Breaches' (COMB), which had 3.2 billion passwords and matching email addresses.
The new leak includes the passwords from COMB, plus billions of others - some known to have been leaked before, but never all in the one place.
"Considering the fact that only about 4.7 billion people are online, numbers-wise the RockYou2021 compilation potentially includes the passwords of the entire global online population almost two times over," CyberNews reported, including a tool to check if yours are included.
But headlines screaming for people to change their passwords immediately are overblown, according to blogger Chris Partridge, an online security expert who works for Amazon.
In a blog post, he called RockYou2021 a "compilation of dictionaries, breached words, and probable passwords" which also includes "books from Project Gutenberg" and "words appearing in Wikipedia", as well as lists of words hackers use in brute-force attacks, where volume is key.
Partridge singled out Yahoo's "shit job" for saying readers need to "probably need to change your passwords. Today, even."
Australian web security expert Troy Hunt, the creator of password-checking site Have I Been Pwned?, said most of RockYou2021's contents "have never been passwords".
"Just do the maths: about 4.7B people use the internet. They reuse passwords like crazy not just across the services each individual uses, but different people use the same passwords," he tweeted.
"Then, only a small portion of all the services out there have been breached. … This list is about 14 times larger than what's in Pwned Passwords because the vast, vast majority of it isn't passwords. Word lists used for cracking passwords, sure, but not real-world passwords."
He said most of it wouldn't be going into the Have I Been Pwned? database.
"Tempted to add a 1 to the end of each 'password', join it back to the original list and ship it to the media as 16.8B passwords."
