It depends. If your accounts are set up to auto-reject and ban people after X number of failed logins, then a strong password (even without 2fa) should be ok for most people.
But if the service allows for unlimited login attempts, having the same password for months or years gives more time to brute force guess it.
Even in a leak like this, even without anything more than a list of passwords, it could be a valuable collection for a “dictionary password attack”.
Lots of unknowns, but this was a “leak”, rather than a “hack”. Perhaps another article might shed more light into the details of the data, and in what form those passwords are in.
Is changing passwords on a regular basis actually better or just a feeling?
It depends. If your accounts are set up to auto-reject and ban people after X number of failed logins, then a strong password (even without 2fa) should be ok for most people.
But if the service allows for unlimited login attempts, having the same password for months or years gives more time to brute force guess it.
Even in a leak like this, even without anything more than a list of passwords, it could be a valuable collection for a “dictionary password attack”.
But why would the passwords be available unhashed?
Lots of unknowns, but this was a “leak”, rather than a “hack”. Perhaps another article might shed more light into the details of the data, and in what form those passwords are in.