Huge databases containing millions if not billions of online account passwords circulate on the Dark Web. Online services allow you to check if you are concerned.
In February 2021, a gigantic database comprising a compilation of about 3 billion passwords hacked over several years had been unmasked. Called COMB (for compilation of many breaches or compilation of numerous violations in French), it included, among others, identifiers for Netflix, LinkedIn but also Gmail and Hotmail accounts.
At the beginning of June, a new hacked database was disseminated on hacker forums on the Dark Web, as the specialists of CyberNews. And it’s still the biggest sesame compilation ever made so far. In a 100 GB text file, there are 8.4 billion passwords intercepted by hackers. Called RockYou2021 – following a first leak of sesames organized in a file named RockYou and detected in 2009 – this file contains passwords made up of 6 to 20 characters, without non-ASCII characters and without spaces. A record!
The surprising amount of data it contains is due to two factors. On the one hand, it embeds the previous databases embellished with new pirated data. On the other hand, it accumulates a large number of passwords (not associated with an identifier) from several dictionaries. These passwords are used in the case of brute force attacks. This method consists of using software that relies on a dictionary of passwords to attempt to access an account by trying them one after the other until the right sesame is found.
According to CyberNews experts, there are approximately 4.7 billion Internet users in the world. Which means that not a user would be spared by this new database dedicated to hackers. Worrisome, especially since passwords are rarely unique and reused on more than one occasion. It is therefore urgent to check whether your email addresses or your passwords are in the RockYou2021 file. If this is the case, it will be necessary to quickly update the accounts concerned in order to change their access code.
Finally, to generate strong passwords and keep them safe, you can always rely on a password manager. There are several tools for this, such as Dashlane, LastPass, 1Password, NordPass or BitWarden. Follow the advice in our KeePass practical sheet: a free tool to manage passwords to install and use for example the free KeePass tool.
The RockYou2021 file contains more than 8 billion usernames and passwords. There are two ways to verify this.
With the CyberNews engine
- Cybercrime experts from the CyberNews site provide an online tool to check if your email address (es) are part of the file circulating among hackers. Meeting on CyberNews page devoted to verification. Enter your email address and validate with a click on Check Now. You can also enter a mobile number in international format (with the prefix +33 for France, for example +33612345678).
- If a message is displayed in green, this indicates that the email or phone number entered is not in the list. If it is displayed in red, the data indicated is in the list. Unfortunately, no other information is given. Impossible to know which account attached to this address is concerned.
With the engine of Have I Been Pwned?
In service for a long time, the Have I Been Pwned? – which could be translated as “has my password been hacked?” – allows you to check if an online account has been hacked by indicating the associated email address.
- In the search field displayed on the home page, enter your email address or a telephone number in international format – for a French number, type +33 followed by your mobile number without the initial zero -, then click on the button pwned? After an extremely quick analysis, the verdict is displayed.
- If the message Good news – no pwnage found! is displayed on a green background, it means that your number has not been disclosed. Tut is well! If the message Oh no – pwned! displayed on a red background, your email address is one of the items disclosed. Unfortunately, no other information is given. Impossible to know which account attached to this address is concerned.
CyberNews like the Have I Been Pwned? offers a verification tool. You can safely type in the password (s) you use every day. These two services have no way of knowing what they are.
With the CyberNews engine
- Meeting on CyberNews website page dedicated to password verification. Enter one of your sesame and click on Check Now. If a message is displayed in green, all is well. Your password is unknown to the battalion. If a message is displayed in red, your password is listed. All you have to do is update the account (s) to which it is associated.
With the engine of Have I Been Pwned?
- Meeting on the Have I Been Pwned page dedicated to password verification. Enter one of your sesame and click on Pwned? If a message is displayed in green, all is well. Your password is unknown to the battalion. If a message is displayed in red, your password is listed. All you have to do is update the account (s) to which it is associated.
If you save your sesames in Chrome, you unknowingly have a tool integrated into Google’s browser password manager to verify with a few clicks that they are still safe.
- Open the Chrome browser sign in with your Google account. Then go to this address. The Google password manager is then displayed.
- Click on the link Access the password check-up.
- In the page that is displayed click on the button Check passwords. You will need to enter the password associated with your Google account to continue.
- After a few seconds, Google draws up a picture of the security of the passwords you saved with Chrome or from an Android device. These can be passwords that have been leaked, sesames reused too many times, or accounts associated with passwords that are too insecure.
- Pull down the menus in each section to make the necessary updates.
