Published: June 11, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Has your world been rocked lately? Even if you say it hasn’t, it probably has because of a recent data breach that released 8.4 billion unique sets of passwords, along with email addresses and usernames. Yes, folks. That’s more than the number of people inhabiting Earth and twice the number of people estimated to use the Internet. So, the odds are indeed that your world has been rocked in this largest data breach ever that is being called RockYou2021.
The first thing you should do is visit a website that lets you know if your email address was included in any data breach, this or otherwise. There are two that come to mind, Have I Been Pwned and the CyberNews personal data checker. Just enter in your email address or addresses. If it has, you might have to make some difficult decisions.
You see, since this breach is likely a compilation of other data leaks, we don’t really know what passwords and usernames were included. Likely, there are multiple ones. Best practice is to change every one of your online account passwords. Jim Stickley of Stickley on Security says, “Yes, this is a big ask and if you aren’t willing to do this, there are some other ways to lower your risks, such as making sure your Two-factor authentication is enabled. However, if your 2FA code for any account goes to your email address that was leaked, you should definitely change the password for that email account now.”
As a general rule, if any two-factor or multi-factor authentication (2FA or MFA) method is offered for your accounts, take advantage of it. Often you will get a one-time passcode sent by text. There are also hardware fobs that generate random one-time numbers, keys that are inserted into the computer that authenticate to particular sites, and there are passcode generator apps.
Remember when changing your passwords to ensure they are strong. That means include at least eight characters with upper- and lower-case letters, a number or more, a special character, and ensure they are not easy to guess, are not dictionary words, and don’t include personal information such as your birthdate. In addition to that, be sure that your login information is unique for each online account.
What is particularly worrisome for this leak is that it’s not clear which databases were combined to create this monster collection. In any case, always make sure to be on the lookout for phishing email messages and don’t click links or attachments that are from unknown senders or that you are not expecting to receive. It’s likely these email addresses will be used for spam or even spear-phishing attacks where the messages are specific enough to make you think they are legitimate.
If you’re curious how this got the name, it appears to be some sort of tribute to a previous breach back in 2009 called rockyou2021.txt. That one released 32 million passwords. This one also blows the previous record out of this world. That one was called Compilation Of Many Breaches (COMB) and involved a measly 3.2 billion passwords.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org