A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.
Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext.
Thus, the attackers collected 32 million
user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.
John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.
The actual report
is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did
share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.