Security News Is this legit? Password leak news

[Acadia]

Content source

https://mashable.com/article/rockyou2024-leaked-password-database

This seems hard to believe but it is over my head:

Anyone signed up to any service online should assume that a password that they use is on this list.

This is likely the biggest password leak ever: nearly 10 billion credentials exposed

The 'RockYou2024' leak could give hackers a huge upper hand.

mashable.com

 

[SpiderWeb]

Anyone signed up to any service online should assume that a password that they use is on this list. Cybersecurity researchers recommend that users update their passwords and enable multi-factor authentication wherever possible.

Wonderful...

 

[Acadia]

Hmmmm, might be legit, it is starting to show up elsewhere:

New Security Alert: Hacker Uploads 10 Billion Passwords To Crime Forum—Report

As a hacker uploads a database of 10 billion stolen and leaked passwords to an online criminal forum, what must you do now to protect your accounts?

www.forbes.com

Acadia

 

[TairikuOkami]

And virtually every password manager leaks passwords via multiple 3rd party services and insecure networks to check whether they have been leaked, but that is not an issue, is it?!

 

[SpiderWeb]

I read more about this. Interesting notes. So this password data file has been around since 2021. It's just passwords. They are not linked to anything, not accounts, not websites, not numbers. Just passwords. So it's kinda useless. It might help the NSA or something very sophisticated to narrow down how many passwords to try in a brute force attack, or some researcher who wants to study trends in passwords. But, as long as you use a unique password for every single service it is going to be a nightmare for anybody to break into your accounts because they are just plain passwords. Not salts, no rules, no bells or whistles on how the passwords get encrypted.

 

[Acadia]

I read more about this. Interesting notes. So this password data file has been around since 2021. It's just passwords. They are not linked to anything, not accounts, not websites, not numbers. Just passwords. So it's kinda useless. It might help the NSA or something very sophisticated to narrow down how many passwords to try in a brute force attack, or some researcher who wants to study trends in passwords. But, as long as you use a unique password for every single service it is going to be a nightmare for anybody to break into your accounts because they are just plain passwords. Not salts, no rules, no bells or whistles on how the passwords get encrypted.

Thanks for that.
Acadia

 

[jackuars]

This isn't new. There was Rockyou2021 before that. If you want to download the file, it's available here:
rockyou2021.txt: A Short Summary & Torrent Download | tweedge's blog.

It's around 12GB to download and 90GB+ when uncompressed.

By the way it's nothing to be paranoid about, unless you use the same password across all websites.

"
rockyou2021.txt is not: a breach, a list of breached passwords, anything substantively new, or a sufficient reason to change your passwords (on its own).

rockyou2021.txt is: a wordlist which includes mostly English-language words, possible passwords, and known breached passwords. All of which was known & publicly available prior to this point. It can be sometimes useful as a wordlist for password cracking, though!

You should: take this time to identify news sources which used fearmongering to draw readers in on this subject in instead of facts, and unfavorite/unsubscribe from/block those sources."

 

[blackice]

I read more about this. Interesting notes. So this password data file has been around since 2021. It's just passwords. They are not linked to anything, not accounts, not websites, not numbers. Just passwords. So it's kinda useless. It might help the NSA or something very sophisticated to narrow down how many passwords to try in a brute force attack, or some researcher who wants to study trends in passwords. But, as long as you use a unique password for every single service it is going to be a nightmare for anybody to break into your accounts because they are just plain passwords. Not salts, no rules, no bells or whistles on how the passwords get encrypted.

Yeah it’s mostly used for credential stuffing attacks, which is how most people lose accounts. Shared passwords between multiple services.

 

[bazang]

By the way it's nothing to be paranoid about, unless you use the same password across all websites.

Of course but the average digital device user does not know that and the online media world knows this and they exploit it for click and rage bait generated traffic.

Clicks Matter
#clicksmatter

Yeah it’s mostly used for credential stuffing attacks, which is how most people lose accounts. Shared passwords between multiple services.

Peoples' ignorance makes the online media a lot of click-generated revenue. Just look at why this thread was created - because OP did not know if it was real and then other paranoia-driven posts were made. A few were already hooked into the implied narrative that user passwords are as good as exposed, easily obtainable plaintext.

The easiest thing in the world is to exploit a person's and\or peoples' ignorance. It has been highly effective since before recorded history.

 

[Acadia]

Peoples' ignorance makes the online media a lot of click-generated revenue. Just look at why this thread was created - because OP did not know if it was real and then other paranoia-driven posts were made. A few were already hooked into the implied narrative that user passwords are as good as exposed, easily obtainable plaintext.

The easiest thing in the world is to exploit a person's and\or peoples' ignorance. It has been highly effective since before recorded history.

That's why we, well I anyway, come to MalwareTips, to get rid of my ignorance and learn.
Acadia

 

[n8chavez]

Says you! I've been here for years and I'm still a dumbass.