The latest data breach to hit the internet isn't an attack on a big internet company like Facebook or Yahoo, when one billion accounts were breached. Instead, it's a massive collection of email addresses and passwords compiled from a number of data breaches. Dubbed Collection #1, this data dump includes 773 million email addresses and 21 million unencrypted passwords. Not all of those passwords are new — about half have been seen in previous breaches — but that leaves plenty of passwords that are now available to any crook who goes looking.
Security researchers believe these passwords are two or three years old, so the compromised passwords may not be current. Still, you shouldn't use that as an excuse to ignore this breach, because many of us use the same passwords on multiple sites. When one of those sites is compromised, hackers will take your login information and see if it works on other sites — which means having one password compromised can lead to lots of your passwords being compromised.
Worse, this may just be the beginning. The hacker selling Collection #1 has four more "collections" of data, which could include even more passwords. Even if your information wasn't compromised in Collection #1, it may be in one of these other collections. All of this data — nearly a terabyte of usernames, passwords, and other personal information — is being sold online for just $45. At a budget price like that, practically anyone could pick up your password.
What can I do about compromised passwords?
To check if your information is part of Collection #1, go to the website Have I Been Pwned, which tracks compromised accounts. Enter your email address and it will tell you if it's shown up in a known data breach. Whether you've been compromised by this breach or not, there's a good chance your data has been stolen at some point — and Have I Been Pwned will list every breach you've been affected by.
Now it's time to start changing compromised passwords and giving them strong, unique passwords. A good password should:
- Include a mix of numbers, symbols, and letters
- Be at least eight characters long
- Be unique
- Not be simple words or patterns, like "password" or "12345678."
- Not include personal information like names or birthdays.
Go down the list of compromised accounts and change your passwords for each — and if there's a service you don't use anymore, delete the account so it can't be compromised in the future. (If you're having trouble figuring out how to delete an account, Account Killer can help you figure it out.) Once you've changed those passwords, it's time to change the passwords of any other accounts that use the same passwords. And for breaches like Collection #1, you should consider changing all of your passwords. It's a lot of work, but account security is worth the work.
To help you remember all of these passwords, we strongly recommend a password manager, which can keep track of all of your accounts. Most password managers will even suggest strong passwords for you, which takes the work out of changing passwords. All you have to remember is the password for your password manager and you'll have great security for all of your accounts. Our current favorite is Dashlane.
Add even more security
To further secure your accounts, you should add two-factor authentication to any accounts that support it. This means you'll have to enter both your password and another piece of information — usually a code that's emailed or texted to you — in order to log on. That means even if a hacker does get your password, they don't have free access to your accounts.
Check Two Factor Auth for a list of services that support two-factor authentication.
[Image credit: computer hack concept via BigStockPhoto]