Latest news with #Cybernews
Fox News
24-05-2025
- Fox News
19 billion passwords have leaked online: How to protect yourself
Passwords are outdated, and it's time for both tech companies and users to move on. There, I said it. Like it or not, the weakest link in cybersecurity is anything that relies on human input. While organizations continue to invest in firewalls and endpoint security, the most persistent vulnerability remains the human password. The internet has long struggled with poor password practices, but a recent discovery highlights just how serious the problem is. Security researchers have uncovered more than 19 billion newly leaked passwords, collected from hundreds of breaches between April 2024 and April 2025. An astonishing 94% of these passwords were either reused, predictable or both. Between April 2024 and April 2025, data from nearly 200 separate cybersecurity incidents became publicly available, as discovered by Cybernews. These were not isolated events. They involved massive leak repositories including combolists, stealer logs and compromised databases. In total, over 3 terabytes of raw leaked data were analyzed, comprising more than 19 billion passwords. Only 6 percent of these, just over 1.1 billion, were unique. Among the most used passwords, "123456" appeared in over 338 million instances. Words like "Password" and "admin" followed close behind, despite years of public warnings. Such defaults often originate from devices like routers or enterprise tools, where they are rarely changed and frequently reused elsewhere. Personal names remain a common pattern as well. The name "Ana" appeared in nearly 179 million passwords, followed by countless other first names and name-based combinations. Pop culture, food, cities and even swear words were frequent themes. Words like "Mario," "love," "pizza," "Rome" and various profanities were not just creative choices. They are now security liabilities. Even worse, attackers do not need to guess anymore. They have automation. Credential stuffing tools now run through billions of known passwords across hundreds of platforms, breaching accounts at success rates as high as two percent. That equates to thousands of compromised profiles, bank accounts, emails and cloud tools every single day. According to CyberNews researcher Neringa Macijauskaite, the core issue is not just weak passwords but how often they are reused. Only six percent of passwords are unique. For most users, security depends entirely on two-factor authentication, if it is enabled at all. Most passwords fall between eight to 10 characters, with eight being the most common. Around 27 percent of them contain only lowercase letters and digits, making them highly vulnerable to brute force attacks. Less than 20 percent use a mix of cases and numbers, and only a small fraction includes symbols. Despite widespread education efforts, user habits remain stagnant, but one positive trend has emerged. In 2022, only one percent of passwords used a mix of lowercase, uppercase, numbers and symbols. Now that figure has grown to 19 percent, likely driven by stricter password requirements across platforms. Get a free scan to find out if your personal information is already out on the web. Reused or weak passwords pose a massive threat, not just to individuals but to organizations. A single compromised password can trigger a domino effect, exposing multiple accounts across services. Consider using a password manager to generate and store complex passwords. Get more details about my best expert-reviewed Password Managers of 2025 here. Protecting your data requires a mix of smart security habits and reliable tools. Here are four effective ways to keep your information safe. 1. Enable two-factor authentication (2FA): Even if your password is stolen, 2FA adds an extra layer of security by requiring a second form of verification, such as a code from an authentication app or biometric confirmation. Cybercriminals rely on stolen usernames and passwords to break into accounts, but with 2FA enabled, they cannot gain access without the additional security step. Make sure to enable 2FA on important accounts like email, banking and work-related logins. 2. Use strong antivirus software and be cautious with downloads and links: Infostealer malware is the root cause of why your password is out there. It often spreads through malicious downloads, phishing emails and fake websites. Avoid downloading software or files from untrusted sources, and always double-check links before clicking them. Attackers disguise malware as legitimate software, game cheats or cracked applications, so it is best to stick to official websites and app stores for downloads. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 3. Keep software updated: Cybercriminals exploit outdated software to deliver malware. Keeping your operating system, browsers, and security software up to date ensures that known vulnerabilities are patched. Enable automatic updates whenever possible, and install reputable antivirus or endpoint protection software that can detect and block infostealer threats before they compromise your system. 4. Consider a personal data removal service: These services can help remove your personal information from data broker sites, reducing your risk of identity theft, spam and targeted scams. While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. When it comes down to it, passwords just aren't cutting it anymore. The sheer number of leaked passwords and the fact that so few are unique show how vulnerable we really are. Cybercriminals are getting smarter and faster, but we don't have to make it easy for them. By using password managers, enabling two-factor authentication, keeping our software updated and considering extra privacy tools, we can take back some control over this situation. It might take a little effort to change old habits, but the peace of mind you get is worth it. How many of your accounts use the same password or a variation of it? Let us know by writing us at For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels: Answers to the most-asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Daily Mail
23-05-2025
- Daily Mail
1.2b social media users' data stolen in historic breach: Check your bank account NOW
Over a billion Facebook users have had their private account information stolen in one of the largest data breaches in social media history. A cybercriminal using the alias ByteBreaker claims to have scraped 1.2 billion Facebook records and is now selling the data on the dark web. Scraping, or web scraping, involves using automated tools to collect large amounts of data from websites, similar to copying and pasting information at scale. Cybersecurity researchers at Cybernews revealed that the stolen data includes names, user IDs, email addresses, phone numbers, birthdates, gender information, and location data such as city, state, and country. Investigators say ByteBreaker exploited a flaw in a specific Facebook tool designed to let apps or programs access user data. If verified, ByteBreaker's trove would represent the largest single data-scraping incident from a social media platform to date. Officials are urging all Facebook users to change their passwords, freeze their credit, and activate fraud alerts on their bank accounts. They warn that the dataset scraped by ByteBreaker contains enough information for cybercriminals to open credit cards in victims' names or access their financial accounts. ByteBreaker shared a sample of 100,000 user records on the dark web to prove they have the data. However, both Facebook and cybersecurity experts are questioning if the cyber thief actually has what they claim. A spokesperson from Meta told Daily Mail that the stolen information ByteBreaker allegedly has is actually from a 2021 Facebook breach involving more than 500 million users. 'This is from 2021, so it's not a new claim. We disclosed this years ago and have taken steps to prevent similar incidents from happening,' Meta said in a statement Thursday. According to researchers from Hackread, some of the data in the 100,000 user sample ByteBreaker posted on the dark web was from that 2021 breach, so it's possible the cybercriminal is trying to pass off old data as new. Cyber experts added ByteBreaker claimed in their dark web ad that the 1.2 billion accounts were stored in '200 million rows.' In databases, however, each 'row' represents one user's complete info (name, email, etc.). So, 1.2 billion records should need 1.2 billion rows, not 200 million, adding even more skepticism to the hacker's story. It would surpass the 700 million LinkedIn scrape and the 533 million Facebook breach of 2021. 'Scraping data using features meant to help people violates our terms. We have teams across the company working to detect and stop these behaviors,' Meta wrote in a statement after the 2021 data breach. Meta told Daily Mail that their stance on this issue hasn't changed and the company firmly believes no new data has been taken from Facebook. ByteBreaker claims that they collected the data by abusing Facebook's Application Programming Interface (API). Facebook's API can allow an app to access user profiles to show their names or posts. The hacker figured out a way to trick or overuse this API to collect massive amounts of user data without permission. It's like finding a loophole in a library's computer system to download everyone's contact info instead of just borrowing a book. Along with changing your email password and freezing your credit, consider updating your passwords for accounts that use the same email or phone number that may have been stolen from Facebook. You can also enable two-factor authentication, which adds an extra step to logins, like a code sent to your phone or email, making it harder for hackers to access your account even if they have your password.
Yahoo
09-05-2025
- Yahoo
Cybersecurity Expert Warns of 'Widespread Epidemic' of Bad Passwords
Cybersecurity experts are sounding the alarm on what has been referred to as a "widespread epidemic" of weak passwords that could leave their data, accounts, and personal information at risk. Cybernews recently conducted a study looking into more than 19 billion newly exposed passwords after several high-profile breaches in the past year. The outlet's research team wanted to examine the 2025 password creation trends. What they uncovered in the data was quite alarming, to say the least. The research found that 94 percent of passwords are reused, leaving Internet users vulnerable to exposure if even one of their passwords was exposed. Additionally, almost a third of the passwords analyzed consisted of only lowercase letters and digits, making them easier to guess, and default and lazy passwords like 'password', 'admin', and '123456' are still a common pattern. You can read the full study here. "We're facing a widespread epidemic of weak password reuse. Only 6% of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication—if it's even enabled,' warned Neringa Macijauskaite, an information security researcher at Cybernews. In response to these concerning findings, the Cybernews research team shared a few recommendations: Use Password Managers. They create and store unique, strong passwords for every service, reducing the temptation to reuse passwords across different platforms. Never reuse passwords. Make sure your password is at least 12 characters long, includes uppercase, lowercase letters, numbers, and at least one special symbol. Skip any words, names, sequences, or other recognizable strings. Enable multi-factor authentication (MFA) wherever possible. MFA provides an extra layer of security, reducing the risk of unauthorized access even if passwords are compromised. Organizations should enforce password policies that require passwords to be at least 12 characters long, ideally 16, incorporating a mix of uppercase and lowercase letters, numbers, and special characters. Complexity beats length. Organizations should ensure that adequate data hashing algorithms and configurations are implemented while continuously reviewing existing security standards revolving around data transit and storage. Review access controls regularly and perform regular security audits. This leads to a better security posture of a company and lowers the risk of its users' personal data being leaked. Monitor and react to credential leaks. Organizations should adopt tools and platforms that can detect leaked credentials in real time, allowing them to instantly block access or require resets for affected accounts. With hackers and cybercriminals getting more and more sophisticated everyday, it's important to keep your data and accounts secure.
The Independent
07-05-2025
- The Independent
Over 19 billion passwords have been leaked in security ‘crisis' – here's how to check if yours is vulnerable
Over 19 billion passwords were leaked in the last year alone amid what experts are calling a cybersecurity 'crisis.' But there are ways to protect yourself. A new study by Cybernews examined more than 200 data breaches between April 2024 and 2025, and found that of the 19,030,305,929 newly exposed passwords, 94 percent of them were reused or duplicated – in some cases by different users entirely. 'We're facing a widespread epidemic of weak password reuse,' noted Neringa Macijauskaite, information security researcher at Cybernews. 'Only 6 percent of passwords are unique, leaving other users highly vulnerable to dictionary attacks. For most, security hangs by the thread of two-factor authentication – if it's even enabled.' Experts called for an acceleration of tighter security methods, highlighting that cybercriminals only require an exposed password to then access email addresses and other personal data. The leaks examined by researchers were 'loaded with information that could be used to steal accounts or impersonate affected people in identity theft attacks,' the study noted. The study found that millions still favor basic passwords that are easy to remember – and easy for hackers to guess. 'Password' is used by 56 million people, and 53 million use 'admin.' Researchers also found that '1234' is in almost 4 percent of all passwords, which is easy for hackers to guess. People's names were the second most popular choice for a password. 'Many users choose a name as part of their password. We cross-referenced the dataset with the 100 most popular names of 2025 and found that there's a whopping 8 percent chance for them to be included as part of a password,' Macijauskaite said. Others opted for positive words such as 'love,' which was in 87 million passwords analyzed, and 'sun,' used in 34 million. Swear words are also common in passwords, the research revealed. 'Passwords built from profane or offensive words might seem rare, but they're actually very common in practice,' Macijauskaite said. 'Passwords containing profanity often originate from attempts at personalization or memorability. However, such terms are prevalent in attacker wordlists and pose a substantial risk to account security.' Use password managers to create and store unique passwords for different accounts. Never reuse passwords. Make sure your password is at least 12 characters long and includes uppercase and lowercase letters, numbers, and at least one special symbol. Enable multi-factor authentication when possible, which reduces the risk even if passwords are leaked or hacked. Review access controls regularly, and perform regular security audits. Monitor and react to credential leaks.
Yahoo
07-05-2025
- Business
- Yahoo
German drinks group Oettinger confirms cyberattack
Oettinger Getränke, the German beer and soft-drinks group, is investigating a cyberattack on the business. In a brief statement, the privately owned company confirmed the breach and said it was looking into the 'potential' for data leaks. According to specialist publication Cybernews, ransomware group Ransom House claims to hold data from the brewer. Ransom House has posted a warning to the company online, Cybernews said. Oettinger Getränke is one of Germany's largest brewers and claims to be among the world's top 25. The family-owned business, founded in 1731, has three sites: its HQ in Oettingen in Bavaria, another in Mönchengladbach in North Rhine-Westphalia and a third in Braunschweig in Lower Saxony. The company has around 800 'We are currently investigating the cyberattack on Oettinger Getränke in conjunction with IT forensic experts, the data protection authority and cybercrime specialists,' the company said in its statement. 'We are also conducting an investigation into the potential for data leaks. For forensic reasons, we are unable to provide any further details at this moment. Production and logistics have not been affected by the cyberattack.' Away from beer, Oettinger's soft drinks range from ice teas and spritzers to malt drinks and lemonades. The brewer also makes its own 'alcohol-free' beer at an abv of less than 0.5%. In January last year, it bought non-alcoholic functional beer brand JoyBräu. "German drinks group Oettinger confirms cyberattack" was originally created and published by Just Drinks, a GlobalData owned brand.
