The latest data breach to hit the internet isn't an attack on a big internet company like Facebook or Yahoo, when one billion accounts were breached. Instead, it's a massive collection of email addresses and passwords compiled from a number of data breaches. Dubbed Collection #1, this data dump includes 773 million email addresses and 21 million unencrypted passwords. Not all of those passwords are new — about half have been seen in previous breaches — but that leaves plenty of passwords that are now available to any crook who goes looking.
Security researchers believe these passwords are two or three years old, so the compromised passwords may not be current. Still, you shouldn't use that as an excuse to ignore this breach, because many of us use the same passwords on multiple sites. When one of those sites is compromised, hackers will take your login information and see if it works on other sites — which means having one password compromised can lead to lots of your passwords being compromised.
Worse, this may just be the beginning. The hacker selling Collection #1 has four more "collections" of data, which could include even more passwords. Even if your information wasn't compromised in Collection #1, it may be in one of these other collections. All of this data — nearly a terabyte of usernames, passwords, and other personal information — is being sold online for just $45. At a budget price like that, practically anyone could pick up your password.
What can I do about compromised passwords?
To check if your information is part of Collection #1, go to the website Have I Been Pwned, which tracks compromised accounts. Enter your email address and it will tell you if it's shown up in a known data breach. Whether you've been compromised by this breach or not, there's a good chance your data has been stolen at some point — and Have I Been Pwned will list every breach you've been affected by.
Now it's time to start changing compromised passwords and giving them strong, unique passwords. A good password should:
- Include a mix of numbers, symbols, and letters
- Be at least eight characters long
- Be unique
- Not be simple words or patterns, like "password" or "12345678."
- Not include personal information like names or birthdays.
Go down the list of compromised accounts and change your passwords for each — and if there's a service you don't use anymore, delete the account so it can't be compromised in the future. (If you're having trouble figuring out how to delete an account, Account Killer can help you figure it out.) Once you've changed those passwords, it's time to change the passwords of any other accounts that use the same passwords. And for breaches like Collection #1, you should consider changing all of your passwords. It's a lot of work, but account security is worth the work.
To help you remember all of these passwords, we strongly recommend a password manager, which can keep track of all of your accounts. Most password managers will even suggest strong passwords for you, which takes the work out of changing passwords. All you have to remember is the password for your password manager and you'll have great security for all of your accounts. Our current favorite is Dashlane.
Add even more security
To further secure your accounts, you should add two-factor authentication to any accounts that support it. This means you'll have to enter both your password and another piece of information — usually a code that's emailed or texted to you — in order to log on. That means even if a hacker does get your password, they don't have free access to your accounts.
Check Two Factor Auth for a list of services that support two-factor authentication.
[Image credit: computer hack concept via BigStockPhoto]
From MariaRose on January 29, 2019 :: 4:50 pm
I am a subscriber of the “have I been Pawned” site and heard about this the other day ahead of this newsletter. I have a feeling that this is connected to the Yahoo hack as part of a continued problem. I am following a diligent program of blocking any cookies from sites plus I have a program in place that advises me about the safety of any site before I attempt to reach the site. All my passwords have been changed multiple times over the years. I also switched from an Android system to a Mac system with a virus program on all my devices.
Yes, but some of the steps won't help
From Josh Kirschner on January 29, 2019 :: 5:19 pm
Yes we heard of this through Troy Hunt, as well. It might be connected to Yahoo or not, we don’t really know. But it does appear to be data from old hacks rather than recent ones.
Unfortunately, blocking cookies won’t do anything to prevent these password breaches. And a program that notifies you of unsafe sites is helpful to prevent phishing attempts, but likewise won’t help with data breaches at the company level. Nor is this an Android/Windows vs Mac/iOS issue, since it is the sites you log in to that are compromised, not your devices.
The best thing we can do is to use unique, complex passwords for every site, and a password manager to manage those passwords. So when a site is compromised, it is harder to decrypt your password and unencrypted passwords can’t be reused on other sites. If you follow this plan, you shouldn’t actually need to change your passwords very often, since they will be inherently more secure, though it doesn’t hurt to do so as long as you’re not sacrificing complexity for ease of remembering.