Was Your Password Just Revealed in a Massive Data Breach?
On July 4, 2024, a hacker known as "ObamaCare" released a compilation of nearly 10 billion plaintext passwords on a popular hacking forum. This leak, dubbed "RockYou2024," is an updated and more extensive version of the infamous "RockYou2021" leak, adding approximately 1.5 billion more passwords to the already vast database. This massive repository significantly increases the risk of brute-force attacks on various online accounts. Should you be worried? Here's what you need to do... |
What is the RockYou2024 Breach?
A message posted by the hacker said "Xmas came early this year. I present you a new rockyou2024 password list with over 9.9 billion passwords! I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years. Also cracked some old ones with my new 4090. This contains actual new real passwords from users.”
The newly released RockYou2024 compilation includes passwords from the RockYou2021 password dump, which in turn contained leaked passwords from the earlier “Compilation of Many Breaches” and other sources. So it's little consolation that “only” 1.5 billion new items were added to the latest trove of compromised accounts and passwords.
The 9,948,575,739 leaked plaintext passwords shared on a hacking forum are stored in a text file sized 351GB when uncompressed, and are readily available for download, which highlights the scale and accessibility of the data. The significance of this leak lies in its potential to facilitate “credential stuffing attacks” where cybercriminals use automated tools to try various combinations of usernames and passwords on multiple platforms, exploiting weak and reused passwords to gain unauthorized access.
Should You Be Worried About RockYou2024?
That all depends on your approach to password hygiene. This type of attack poses a serious threat to users who are reusing passwords across different accounts or using simple, easily guessable passwords. With almost 10 billion passwords available, the likelihood of matching compromised credentials with active accounts is extremely high, making it easier for hackers to penetrate accounts and systems.
To mitigate the potential risks associated with this leak, I advise you to take several precautionary measures:
Reset Passwords: It's crucial to create strong, unique passwords for each account (email, social media, online banking, etc.). If you have employed weak passwords such as “abc123” or other easily-guessed strings, change these passwords immediately. If you have reused the same password across different accounts, update those as well.
Enable Two-Factor Authentication (2FA): As I mentioned in my article [DIGITAL LOCKDOWN] Authenticator Apps Protect Your Accounts, turning on 2FA adds an extra layer of security by requiring a second form of verification in addition to the password, making it harder for attackers to gain access even if they have the password.
Use a Password Manager: Password managers such as 1Password, RoboForm, and Dashlane can generate and store complex passwords for you, then enter them automatically when you need to login. This reduces the need to remember multiple passwords and eliminates the risk of password reuse.
Monitor Your Digital Identity: Regularly check if personal information has been compromised using tools and services that alert users to potential breaches. This can help in taking timely actions to secure accounts.
See my artcile Free Credit Reports Online to find out how you can get FOUR free credit reports yearly, and make sure there are no surprises there. Next, see Freeze Your Credit Files (all SIX of them) to learn how to lock down your credit files and prevent hackers from opening new accounts in your name.
Have I Been Pwned is a free tool where you can enter your email address and it will tell you if any of your online accounts have been compromised. (The term "pwned" is geekspeak for "owned," or "defeated.") HIBP is the creation of a well-respected security expert, Troy Hunt, and is safe to use. You can read the privacy policy to see how the site handles your email address.
MalwareBytes offers Digital Footprint Scan, a similar service that will tell you if any sensitive information pertaining to your online accounts, phone number, birth date, mailing address, or social security number is vulnerable.
My article Have You Made These Identity Theft Mistakes? has ten tips to help you avoid identity theft.
The "RockYou2024" leak serves as an important reminder of the importance of robust cybersecurity practices. By prioritizing some easily implemented security measures, you can protect your digital identity and sensitive information. Using strong password policies, steering clear of password reuse, and adopting multi-factor authentication are essential steps in safeguarding against data breaches.
Do you have other tips for thwarting hackers or avoiding identity theft? Post your comment or question below...
This article was posted by Bob Rankin on 9 Jul 2024
For Fun: Buy Bob a Snickers. |
Prev Article: Hacker Defense: Your NINE Point Tuneup |
The Top Twenty |
Next Article: The Miscreants Who Menace Millions |
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Was Your Password Just Revealed in a Massive Data Breach? (Posted: 9 Jul 2024)
Source: https://askbobrankin.com/was_your_password_just_revealed_in_a_massive_data_breach.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Was Your Password Just Revealed in a Massive Data Breach?"
Posted by:
DaveW
09 Jul 2024
The often recommended step to reset all your passwords is simply impractical. It's far better to use strong passwords in the first place and do not re-use them! I generate a long random password, with special symbols where possible, for each and every one of my log ins. Works great (until the quantum computer overlords start hacking passwords anyway)!
Posted by:
hifi5000
09 Jul 2024
My question about all this is where and what accounts are affected.The story just says billions of passwords are being sold.It didn't say what organization or company the passwords came from. Nor were any user ids were mentioned.
Are they e-mail accounts or department store accounts? Were they grabbed from the federal government? How old are these passwords? A lot of questions about this hack.
Posted by:
Walter
09 Jul 2024
So let's say that you go to the "Have I been pwned" site and enter your email, and it lists a few incidents that are somehow related to your email address. Those incidents are dated. So, if you have changed your passwords since then, is it reasonable to assume that those listed leaks pose no threats?
Since your email address is very often your "login name" for many on-line accounts, it isn't unreasonable to have dozens and dozens of distinct passwords for all of those accounts, all of which have your email as the login name. But the Pwned web site doesn't tell you which specific web site(s) where your email address was found. So, you have to change all of your dozens of passwords, because you don't know which site/account the leak was from?
Posted by:
horqua
09 Jul 2024
I use a PWD manager and I have over 100 PWDS. In some cases, 2FA works great. In other cases, such as Xfinity, it takes hours for the 2FA code to ever reach me, if ever. There has got to be a better way to determine if our PWDs were shared and which ones and by whom. Why is this so difficult?
Posted by:
Walter
09 Jul 2024
These data-breach incident announcements are, I suppose, good to hear. But they sometimes come across as a warning something like, "Attention! Someone _may_ have made a copy of _one_ of the keys to your house, so immediately change all of the locks on your house! And just to be safe, keep changing all of the locks on your house every few months!". Sure, changing passwords doesn't involve spending actual money to buy new hardware locks, but it can be a pretty time-consuming exercise. If you use a password manager, and you go through the effort of constructing unique, long, random or pass-phrase-style passwords, you'd _hope_ that practice would give you some protection.
But, I guess if data breaches expose your information in plain text, that's hard to protect against. :-(
Posted by:
Lisa Vandenberghe
10 Jul 2024
It found 3 breaches. But if I already unsubscribed from them, am I still at risk. And I do not use same password with new sites. Does that make a difference.
Posted by:
Ian
10 Jul 2024
I checked my wife's email address (a paid address with a reputable, secure provider) and found the password had been leaked - only it is not the correct password.
Also I doubt that the supposed leaked password was ever used, it consisted of only nine characters. We would never have used a password that short, not even many years ago. Confusing!
Posted by:
Frances
20 Aug 2024
The trouble with 2FA is that I don't have a cellphone. I do have a landline and my bank will use it for 2FA but that's impractical for other situations. I've asked that e-mail be used but e-mail's "not secure". But that makes no sense. Send the e-mail with the code, the code will be used immediately and then expire long before there is enough time for anyone to take advantage.
And why don't I have a cellphone? Because I don't need one. I'm pretty old, don't go out on my own because my daughter takes me everywhere and find cellphones difficult to use because I also don't hear well.