I was watching television recently when a mobile alert popped up on my phone. The alert told me that several of my passwords had been compromised in a recent security breach and suggested that I change them right away. Having seen similar alerts in the past, I was tempted to brush it off. Something piqued my interest this time, however, and I decided to click on the notification.
Wow, am I glad I did.
RockYou2021: Your passwords are compromised
In early June, news broke of a new password leak in what may be the largest of all time. A user on a popular hacker forum posted a 100GB .txt file with an estimated 8.4 billion passwords therein. The list is believed to be a combined set of older leaks. This new leak easily surpasses the previous largest, which contained some three billion passwords. The new leak has been called RockYou2021, seemingly in homage to the 2009 data breach of the same name.
How bad is it? Bad. Really bad.
Those seeking to break into others’ online accounts need only combine usernames and email addresses to engage in password dictionary and password spraying attacks, according to CyberNews.
Related: 10 best security apps for Android
“Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can potentially reach millions, if not billions,” wrote CyberNews.
Consider me rocked
The timing of the push notification on my personal phone (an iPhone) coincided with the news of RockYou2021. I queried Apple about the notification and whether the two were connected. In response, Apple said in an email that it appears iOS 14’s password monitoring feature was working as intended. Read into that what you will.
According to its public documentation, Apple’s password monitoring, “matches passwords stored in the user’s Password AutoFill keychain against a continuously updated and curated list of passwords known to have been exposed in leaks.” If users have this functionality switched on, password monitor will always be seeking matches between the passwords you use and those that are leaked online and alert you when there’s a problem.
I had a problem.
I’ve used complex passwords for years, but like many, I am sometimes guilty of reusing them across accounts. Following the mobile alert, the iPhone’s password manager alerted me to security recommendations. When I checked to see what they were, no fewer than 20 of my passwords had “appeared in a data leak” which put the accounts at “high risk of compromise.” Apple’s password manager recommended I change the passwords right away.
Thankfully, many of the leaked passwords were old or outdated, but they were accurate and it is worrying they were found so readily online. Apple’s password manager also signals which passwords are being reused and should be updated.
Apple isn’t the only platform that provides these alerts, of course. Google’s Chrome browser has been bugging me lately on my desktop to update at least a dozen passwords and I’ve been just as lax about it. Chrome also shows you which passwords have been breached and which ones are reused or are weak. It pushes mobile alerts, as well, though I have yet to receive one — including after this recent breach. The Edge browser on Windows machines does the same thing. The mobile alert from Apple was a bit more in my face, and since it included semi-recent passwords and accounts I took it seriously and acted right away.
Whichever app sends the notification, these tools are in place for a reason and, in this case, worked as intended. Pay attention. When your browser or phone tells you to update your password, it’s best to take action before hackers take action against you.
And in case you’re interested, you can check to see if your passwords were leaked in the RockYou2021 breach here.