🎙️ In Bits On Tape, we bring you bytes of science & tech stories to ponder and paraphrase. Consider upgrading or gifting a paid subscription and get the premium perks we roll out all this year. Share and print the accessible version of this issue.

😬 AI Might Have Leaked Your Passwords

Think you can keep the same password for years? Think again. With generative AI systems hoarding piles of credentials, networks of malware swiping logins, and hackers waiting to record your keystrokes, digital security is a game of whack-a-mole that is speeding up.

A new report found that the Common Crawl dataset used to train large language models (LLMs) contains piles of leaked keys and passwords. Researchers found nearly 12,000 live API keys, passwords, and other sensitive credentials that could be used to access critical services.

Common Crawl is an enormous data repository, containing 250 billion web pages collected over 18 years and totaling 400 terabytes of compressed data, including 90,000 archive files and info from 47.5 million hosts across 38.3 million domains. This recent investigation uncovered 219 types of exposed secrets, such as Amazon Web Services root keys, Slack webhooks, and Mailchimp keys.

All that is to say: this is a *big deal*. Common Crawl is used to train the popular ChatGPT as well as AI software from Anthropic, Microsoft, Facebook, Google, and many others. Since there is no way for LLMs to tell which credentials are actually sensitive and which are just demo examples, it’s easy for leaked passwords to end up, for instance, in online coding tutorials or recycled in new software that includes copy-pasted code from AI.

As AI introduces new security risks, malware also continues to be a growing threat. Breach notification site HaveIBeenPwned recently raised the alarm about a breach of 244 million passwords and 284 million email addresses, all gathered by “infostealers” that harvest credentials. These credentials were being shared in a Telegram channel that is known for distributing stolen data.

Though much smaller breaches dominated headlines a decade ago, today’s users are left woefully uninformed about the likelihood that they have been impacted by breaches and the importance of creating new passwords after these events.

The scale of this breach underscores how widespread infostealer malware has become. One particularly-devastating case recently involved a Disney employee who installed a keylogger by downloading malicious AI software.

The attacker gained full access to his passwords, financial data, and even his workplace Slack conversations, using the stolen information to wreak havoc on both his personal and professional life. The breach led to the leak of millions of internal Disney messages, exposing sensitive corporate data. In addition to the personal and financial turmoil, the employee was also terminated after a company investigation.

So, what’s the takeaway? Two simple things you can do: pause and take 9 seconds to think before downloading software and use long and complex passwords instead of reusing the same one across your accounts.

And, if you find yourself having to generate a bunch of new passwords to protect yourself after a breach, there’s an app for that. 🤓

🔐 Need Strong Passwords? Ask PrivacySafe Bot

Weak passwords are a gateway to disaster. Our new app PrivacySafe Bot helps you avoid the pitfalls of poor password security.

Not only does our app generate strong passwords and memorable passphrases directly on your device, it also provides real-time feedback on the strength of your customizations. PrivacySafe Bot will show you how to make your credentials stronger, so that cracking them is too much of a hassle for hackers. 💪

🧓 Age Records? Probably Bad Record Keeping

The secret to living past 100 might not be diet, exercise, wealth, or a stress-free life — it might just be a little creative paperwork. One researcher is calling out the so-called “Blue Zones,” those famous regions where people supposedly live the longest. His article on the subject won an Ig Nobel Prize for unusual scientific works and claims that impressive age records are more fiction than fact. From Japan to Italy to California, the common thread isn’t just healthy habits: it’s sloppy record-keeping that makes people seem older than they really are.

Some of the mix-ups are pretty wild. In Japan, a man thought to be 111 was actually just... not alive at all. Authorities found his mummified remains and realized he had likely passed away decades earlier. Similar issues pop up in Greece and Costa Rica, where large numbers of supposed centenarians are either long gone or were never real to begin with. The researcher jokingly suggests that if you want to boost your lifespan, just move somewhere that botches birth certificates.

Blue Zone proponents insist their data is rock solid and that they have done responsible scientific work identifying these areas of human longevity. Even with rigorous standards, however, it’s not possible to verify age records if the birth documents that make the basis of the claims are wrong. While Blue Zones may still be places we can learn from in regard to healthy living and good habits, there’s strong evidence that the true secret to living an exceptionally-long life is clerical error.

Bad data isn’t always just amusing or misleading: it can be downright dangerous. A recent case in California highlights how altered records can have severe real-world effects. A former Stanford University employee was convicted of tampering with a cancer study database, inserting false medical data and even personal insults after being fired.

Clinical trials depend on precise and trustworthy records, and her actions disrupted an important study on breast cancer treatment and forced the university to spend significant time and resources correcting the damage.

Digital records were supposed to make our data more accurate, but digitization also makes it easier to spread mistakes — or in some cases, outright lies. The real takeaway? When it comes to data, the difference between fact and fiction might be just one keystroke. ⌨️

🛡️ Ivy Cyber: Understand the ABC’s of Tech

Protecting data from manipulation, whether it’s through better security protocols or more rigorous verification processes, is more important than ever. You need to start with the ABC’s: the risks and rewards of AI, Blockchain, and Cybersecurity.

At Ivy Cyber, we help individuals and businesses take control of their digital footprint. That might mean training your team, testing your systems, crafting an AI strategy, or safeguarding your crypto assets.

🗓️ Book A Free 15 Minute Meeting

We assess your data, identify risks, and design strong defenses and responses to threats. It all starts with a simple conversation. 💬

🙏 Thank You For Reading!

Join PrivacySafe Social to keep up with our latest news and releases. We’ve got more public apps fresh out of the oven and you’ll be the first folks who get a taste as we announce them.

🌍 Find Us Around the Web

We’re getting our message out on:
🌞 PrivacySafe Social: @bitsontape
• Telegram: Bits On Tape
• Blue Sky: @bitsontape.com
• Twitter X: @BitsOnTape
• LinkedIn: Bits On Tape

Bits On Tape™ is a twice-weekly replay of science & technology stories by cyber experts. These bits are put to screen by Sean O’Brien, leading voice behind privacy and cybersecurity at Yale Law School and founder of Yale Privacy Lab, and edited by Cherise Labonte, science researcher and licensed Registered Nurse.

© Ivy Cyber Consulting LLC. This project is dedicated to ethical Free and Open Source Software and Open Source Hardware. Ivy Cyber™ and Bits On Tape™ are pending trademarks and PrivacySafe® is a registered trademark. All content, unless otherwise noted, is licensed Creative Commons BY-SA 4.0 International. Header photo is derived from CC-BY art by Christiaan Colen and Last Hero.