The leak of over 10 billion passwords, exposed on dark web forums in late June, has triggered a global warning signal about cybersecurity risks and the urgent need for compliance with the General Data Protection Law (LGPD). Dubbed ‘RockYou2024.txt,’ the file, released by a hacker known as ‘ObamaCare,’ compiles data from platforms such as Apple, Google, and Facebook, including previously unseen combinations of emails and passwords.
The impact is considered one of the largest in history in terms of volume and reach. The episode demands an immediate response from companies and IT professionals, especially given the legal requirements in force since 2020. For Edgard Dolata, a lawyer specializing in LGPD and partner at Legal Comply and Dopp Dolata Advogados, the case highlights the vulnerability of digital infrastructures. ‘The fragility of digital security systems exposes not only consumers but also the reputation and legal liability of companies. Having a privacy policy on the website is not enough. It is necessary to prove that there is active governance in protecting this data,’ says Dolata.
The expert points out that many organizations still treat the issue as bureaucratic and neglect the creation of efficient internal processes. According to him, the large-scale exposure of credentials increases the risks of social engineering, phishing scams, corporate breaches, and sanctions from the National Data Protection Authority (ANPD). ‘Data protection must cease to be a reactive action. The LGPD requires registration, traceability, and rapid response in case of incidents. And this applies to both large platforms and small businesses, which often operate with vulnerable infrastructures,’ he says.
In July, a period that usually sees an increase in remote access due to school holidays and hybrid work, the incidence of silent attacks also rises. Dolata advises companies to adopt measures such as multi-factor authentication, regular backups, and continuous review of access. ‘The winter break, in addition to reducing digital vigilance, often paralyzes incident response teams. This creates the ideal scenario for cyberattacks. Security planning must consider this seasonal behavior,’ he warns.
For the lawyer, the recurrence of mega leaks and the absence of exemplary punishments still fuel digital impunity. ‘As long as Brazil does not have a strong culture of accountability and prevention, we will continue to react too late. LGPD compliance is not just legal protection—it is an operational necessity,’ he concludes.
Companies that wish to assess their exposure or initiate a compliance plan can seek specialized legal diagnosis and risk analysis tools on platforms such as Legal Comply, which monitors vulnerabilities and guides response plans based on the LGPD.
