Eric Zeman
I was watching TV recently when a cell phone alarm popped up on my cell phone. The alert told me that several of my passwords had been compromised in a recent security breach and suggested that I change them immediately. After seeing similar warnings in the past, I was tempted to shrug them off. This time, however, something piqued my interest and I decided to click on the notification.
Wow, am I glad I did.
See also: 10 best password manager apps for Android
RockYou2021: Your passwords are compromised
Jimmy Westenberg / Android Authority
At the beginning of June the news of a new password leak in what is perhaps the greatest of all time was announced. A user on a popular hacking forum posted a 100GB .txt file with an estimated 8.4 billion passwords. The list is believed to be a combination of older leaks. This new leak far surpasses the previous largest, which contained around three billion passwords. The new leak is called RockYou2021, apparently a tribute to the 2009 data protection breach of the same name.
How bad is it? Bad. Really bad.
Those attempting to break into others’ online accounts only need to combine usernames and email addresses to conduct password dictionary and password spraying attacks, like that CyberNews.
Connected: The 10 best security apps for Android
“With most people reusing their passwords across apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak can reach potentially millions, if not billions,” wrote CyberNews.
Look at me rocked
The timing of the push notification on my personal phone (an iPhone) coincided with the news from RockYou2021. I asked Apple for the notification and whether the two were connected. In response, Apple said in an email that iOS 14’s password monitoring feature is working as intended. Read whatever you want into it.
According to its public documentation, Apple’s password monitoring “compares passwords stored in the user’s Password AutoFill keychain with a constantly updated and curated list of passwords known to have been exposed in leaks”. With users enabled this feature, Password Watcher will always look for any matches between the passwords you use and those that have leaked online and notify you if there is a problem.
I had a problem.
I’ve been using complex passwords for years, but like many others, I’m sometimes guilty of reusing them across accounts. After the mobile phone warning, the iPhone’s password manager drew my attention to security recommendations. When I verified what they were, no fewer than 20 of my passwords had “appeared in a data breach,” placing the accounts at a “high risk of compromise.” Apple’s password manager recommended that I change the passwords immediately.
More: How to show hidden passwords in any browser
Fortunately, many of the passwords leaked were old or out of date, but they were correct and it is worrying that they were so easily found online. Apple’s password manager also signals which passwords are re-used and should be updated.
Watch out
Apple, of course, is not the only platform providing these alerts. Google’s Chrome browser has been pestering me on my desktop lately for updating at least a dozen passwords, and I’ve been just as lax. Chrome also shows you which passwords have been breached and which are reused or weak. It also sends mobile alerts, even though I haven’t received one yet – even after this most recent violation. The Edge browser on Windows computers does the same thing. Apple’s mobile warning was written a little more on my face, and since it contained semi-new passwords and accounts, I took it seriously and acted immediately.
Regardless of which app sends the notification, these tools are there for a reason and in this case they worked as intended. Pay attention. If your browser or phone prompts you to update your password, it is best to take action before hackers take action against you.
And in case you’re interested, you can check here to see if your passwords were leaked on the RockYou2021 vulnerability.