Tag Archive for Data leak

| July 8, 2024
Comments Off on Massive Data Leak Exposes 10 Billion Unencrypted Passwords

Massive Data Leak Exposes 10 Billion Unencrypted Passwords

Massive Data Leak Exposes 10 Billion Unencrypted PasswordsOn July 4, 2024, a record-setting data leak occurred. “Cybernews” reports that nearly 10 billion unique passwords were posted to the dark-web. The staggering 9,948,575,739 unique passwords are a mix of old and new data breaches. Listed in a hacker forum as rockyou2024.txt, these passwords were in plaintext. ‘Plaintext’ means that these passwords are not encrypted – they are actual passwords, released in a text file.

updated the older file with 1.5 billion passwordsAccording to the hacker, the new release is based on RockYou2021’s 8.4 billion records from 2021. Specifically, the hacker updated the older file with 1.5 billion passwords obtained between 2021 and 2024. “Cybernews” explains that the RockYou2021 compilation was an expansion of a data leak from a 2009 leak which included tens of millions of user passwords for social media accounts.

The hacker posted  “I updated rockyou21 with collected new data from recent leaked databases in various forums over this and last years.” Estimates suggest that the RockYou2024 file contains entries from 4,000 large databases of stolen credentials, spanning at least 20 years.

Data leak can target any system

data leak can target any systemImportantly, this data leak can target any system. The author believes that attackers can utilize the ten-billion-strong RockYou2024 compilation to target any system that isn’t protected against brute-force attacks. This includes everything from online and offline services to internet-facing cameras and industrial hardware.

“Cybernews” describes the RockYou2024 data leak file as “a mix of old and new data breaches,” indicating it may not be a new breach of 10 billion passwords. Nonetheless, compiling all these passwords into one massive, searchable database, they warn, “substantially heightens the risk of credential stuffing attacks.

Data breach enables attacks

How Attackers Access Your Accounts Using Credential StuffingCredential stuffing occurs when hackers use automated scripts to try various combinations of stolen usernames and passwords from different data breaches to hijack people’s accounts. For instance, someone might use a password obtained from the AT&T breach to see if you use the same password for your bank account.

To check if your passwords are compromised, visit these websites:

RB-

The RockYou2024 data leak list is new, so at the time of this writing, it’s unclear if any private data has been compromised as a direct result of this compilation. Anyone using online services should assume their passwords could be on this list.

In the meantime, don’t freakout about RockYou2024. Experts recommend:

  1. Continue your activities while adhering to password best practices, such as regularly changing passwords.
  2. Set up a password manager.
  3. Enable MFA wherever possible.

Related article

Ralph Bach has been in IT for a while and has blogged from the Bach Seat about IT, careers, and anything else that has caught my attention since 2005. You can follow me on Facebook. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , ,
| December 11, 2019
Comments Off on Your Smart TV is Spying On You

Your Smart TV is Spying On You

Your Smart TV is Spying On YouMany people will find a smart TV under their tree this year. Smart TVs are like regular televisions but with an internet connection. The global smart TVs market is expected to reach 249.9M units by 2024. And all those smart TVs may be spying on you. A while ago I wrote about Vizio (VZIO) getting caught invading your privacy by collecting and selling your personal data. Despite the fact that Vizo had to pay a $2.2M fine, smart TV manufacturers continue to spy on their customers.

Data leakZDNet reports that that smart TVs send user data to tech titans including Facebook (FB), Google (GOOG), and Netflix. These devices are spying on you even when they are idle. U.S. and UK researchers say smart television sets produced by popular vendors including Samsung (005930), Apple (AAPL), and LG (LGLD), alongside content and app streaming devices such as Amazon (AMZN) FireTV, and Roku, are sending out information potentially without the knowledge or consent of users.

Smart TV's sharing users' personal data

Financial Times

Your Smart TV is Spying On You

In a paper titled, “Information Exposure From Consumer IoT Devices” (PDF), the team said that 34,586 controlled experiments found that 88% of devices send information to firms other than the device manufacturer; 56% of U.S. devices and 83.8% of UK devices send your info overseas. They also report every device they studied exposed some kind of information in plain-text.

eavesdroppingThe researchers from Northeastern University and Imperial College London found that 37% could “reliably inferred” user and device behavior from eavesdropping on the user’s interactions with television sets and other household IoT products.

The study found that almost half of the tested devices contacted Amazon. That includes devices not manufactured by Amazon. David Choffnes, one of the authors of the paper warns that Amazon has a lot of information about what you are doing in your home.

According to the paper location data and IP addresses were commonly sent by our IoT devices to third parties in the cloud including Netflix, Spotify, Microsoft (MSFT), Akamai (AKAM), and Google.

Netflix logoWhen it came to smart TVs, however, almost all of the devices included in the study would contact Netflix — whether or not a TV was configured with an account for the content streaming service. “This, at the very least, exposes information to Netflix about the model of [a] TV at a given location,” the paper reads.

Some of the tech titans collecting your data responded to the researchers.

  • Facebook said that it was “common” for services with Facebook integrated into them to send data to third-party services.
  • Netflix said that data transfers were “confined to how Netflix performs and appears on screen,” and
  • Google said user preferences and consent levels dictate how publishers “may share data with Google’s that’s similar to data used for ads in apps or on the web.”

Internet-connected smart TVs combined with streaming services like Netflix and Hulu seem to be a cord-cutter’s dream. But like anything else that connects to the internet, it opens up smart TVs to security vulnerabilities and hackers. But as is the case with most other internet-connected devices, manufacturers often don’t put security as a priority. Not only that, many smart TVs come with a camera and a microphone that attackers can access.

FBI warning

FBI issued a warning about smart TVsBecause manufacturers don’t put security as a priority, the FBI issued a warning about the risks that smart TVs pose. The FBI warned that hackers can take control of your unsecured smart TV and in worst cases, take control of the camera and microphone to watch and listen in.

… TV manufacturers and app developers may be listening and watching you, that television can also be a gateway for hackers to come into your home … your unsecured TV can give him or her an easy way in the backdoor through your router.

TechCrunch notes that some of the biggest attacks targeting smart TVs were developed by the CIA, but were stolen. The files were later published online by WikiLeaks.

rb-

If you are interested in inspecting the IoT network traffic in your smart home, Princeton University has developed and released an open source tool called IoT Inspector. The software uses ARP spoofing to analyze what IoT devices are connected to the Internet, how much data is exchanged, and how often information is traded.

Related Posts

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , , , , , , ,