The leak of more than 10 billion passwords, exposed on dark web forums in late June, raised a global alarm about cybersecurity risks and the urgent need to comply with the General Data Protection Law (LGPD). Dubbed “RockYou2024.txt,” the file, released by a hacker known as “ObamaCare,” contains data from platforms such as Apple, Google, and Facebook, including previously unheard-of email and password combinations.
The impact is considered one of the largest in history in terms of volume and scope. The episode demands an immediate response from companies and information technology professionals, especially given the legal requirements in effect since 2020. For Edgard Dolata, a lawyer specializing in LGPD and partner at Legal Comply and Dopp Dolata Advogados, the case exposes the vulnerability of digital structures. “The fragility of digital security systems exposes not only the consumer but also the reputation and legal liability of companies. Having a privacy policy on the website is not enough. It is necessary to demonstrate active governance in protecting this data,” states Dolata.
The expert emphasizes that many organizations still treat the issue as bureaucratic and neglect to create efficient internal processes. According to him, the large-scale exposure of credentials increases the risks of social engineering, phishing scams, corporate intrusions, and sanctions from the National Data Protection Authority (ANPD). “Data protection must stop being a reactive approach. The LGPD requires registration, traceability, and a rapid response in case of incidents. And this applies to both large platforms and small companies, which often operate with vulnerable structures,” he says.
July, a period that typically sees an increase in remote access due to school holidays and hybrid work, also sees an increase in the incidence of silent attacks. Dolata advises companies to adopt measures such as multi-factor authentication, regular backups, and continuous access review. “The winter break, in addition to reducing digital vigilance, often paralyzes incident response teams. This creates the ideal scenario for cyberattacks. Security planning needs to consider this seasonal behavior,” he warns.
For the lawyer, the recurrence of mega-leaks and the lack of exemplary punishments further fuel digital impunity. “As long as Brazil lacks a strong culture of accountability and prevention, we will continue to react too late. Compliance with the LGPD is not just legal protection; it’s an operational necessity,” he concludes.
Companies looking to assess their exposure or initiate a compliance plan can seek specialized legal diagnostics and risk analysis tools on platforms like Legal Comply, which monitors vulnerabilities and guides LGPD-based response plans.
