Posted on 06/09/2021 6:47:55 AM PDT by ken in texas
Shortly before Apple CEO Tim Cook took the virtual stage at the iPhone maker’s Apple Park headquarters campus for WWDC 2021 on Monday — at which the company unveiled a ton of new software updates, including some major new privacy enhancements — an email landed in my inbox underscoring how critical those privacy features are going to be once they roll out with iOS 15. Basically, there’s been another huge data leak, this time exposing several billion passwords in what just might be the biggest dump of passwords online ever.
This news comes via the team at CyberNews, which reports that a 100GB text file containing a staggering 8.4 billion password entries was just leaked on a popular hacker forum. This data set presumably combines passwords stolen via previous data breaches and leaks, and it’s been dubbed the “RockYou2020” password leak on that hacker forum. That name was apparently chosen, per CyberNews, as a nod to the RockYou data breach from back in 2009, “when threat actors hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text.”
--- end excerpt ---
(Excerpt) Read more at bgr.com ...
Spoof the email address, doesn’t matter. The token gets formed using hashed information that identifies your machine (there’s various unique parts to every computer) so even within your own house a token you make on 1 machine couldn’t be transferred to another. Login to the same place that uses tokens on both they will both need and use their own token. It’s probably possible to find a way to spoof those unique things into the token, but it’s hard, again only good for an hour, then the token expires.
There are a lot of options out in the wild, and with cookies becoming true bete noirs, most platforms are switching to some type of proper tokenization to allow for persistence. Microsoft’s PRT (Primary Refresh Token) shows promise, but every tokenization scheme has its pros and cons.
That is an excellent suggestion.
I use: 123Password456
Good to know!
Yes, REXX was a boon. I used to to automate entire design data
manufacture and release processes at IBM, reducing design data
assembly, packaging and delivery to hours or minutes, instead of days or weeks.
The intelligent and intuitive OS/2 desktop is another part I expect not to be equaled in my lifetime. (The Workplace shell)
Those icons seemed self aware and spooky smart at the time…. ;-)
~Easy
Help me out here.
What has an email or email password got to do with passwords on other accounts?
“ Help me out here.
What has an email or email password got to do with passwords on other
accounts? “
Well, since email is commonly used to set up and verify credentials for
other accounts, once your email is compromised, they can be as well.
Thanks.
Is this limited to Apple operating system?
My password’s as safe as can be: “1 2 3 4 5”.
It has NOTHING to do with Apple or Apple users. The gratuitous mention of Cook and Apple is bullsh*t pseudo-journalism to spice it up.
This leak is a huge list of ONLY passwords. No emails, no usernames
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thank you for the clarification.
However, I’m wondering if this leak is just a huge list of ONLY passwords, how would a hacker be able to merge them with user names and/or email addresses?
Thank you!
I have a password that is 100% unbreakable.
BidenHarrisTellTheTruthIn2021
Zero chance that could ever be guessed.
Yeah. And MS is heavily embracing oauth. What I work on integrates with MS a lot. So I’ve been beating my head against the oauth wall frequently as they roll to another app and another and another. Biggest problem being that they’re MS and they just have to do things a little different than the standard. “We want to put your tenantId that doesn’t exist in oauth into your issuer URL, why, we’re MS, just do it.”
“information that identifies your machine”
I’ve heard that each individual cpu chip has a unique identification that can be accessed and then obviously put into an outgoing message. The outgoing message could be spoofed too.
An outgoing message could be spoofed to anything desired.
Don’t know whether this is a weakness of the token scheme.
The ultimate hack would be someone standing beside the person with access ability threatening him if he doesn’t open the door.
That’s why they don’t put it out directly. Hash it, bury it in the token with a bunch other stuff including the random characters that are the heart of tokens.
They wouldn't be able to do that.
The value of a list of passwords is to feed into a "brute-force" program that tries a bazillion passwords one at a time until it finds one that works.
A list like this narrows down the number of possible combinations a LOT and saves the crackers a lot of time, compared to trying every possible combination of characters and lengths.
> you can search by email and find matches
What I read says that there are no email addresses in this list. What do you mean "search by email", if there are no email addresses to search by?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.