Implications of the password leak
If you’re concerned that your email and password might be among the 773 million disclosed in the password leak, Hunt offers a simple remedy: go to his website “Have I Been Pwned,” type in your email address, and in a few seconds, you’ll see whether or not your email is part of the data breach. Hunt himself acknowledges that he found one of his old email addresses in the collection.
In addition to the sheer size of this password leak, one fact that really stands out is the potential harm that could result from hackers releasing both passwords and emails at the same time. As security researchers like Troy Hunt point out, your most important password is the one that belongs to your email. That’s because hackers can reset the password of any accounts that tie back to your email address using a tactic called “credential stuffing.”
This tactic is based on the idea that most people use the same password for their email account as they do other accounts that they use on a regular basis. Thus, hackers use a brute force method involving bots to login to as many accounts as possible with your email and password info, usually at nearly the same time, in order to get into other accounts with your same credentials. Then, once they’ve done this, it’s possible to control the account by requesting new passwords to be sent to the email they already can access and control.
Potential remedies for those impacted by the data breach
Thus, just by understand how hackers think and work, you can take appropriate steps to protect your accounts as best as possible. The first thing you should do is to use a long, unique password that you would have a hard time remembering. If that’s too challenging, then you should use an online password manager.
In addition, wherever possible, you should use a security technique called multi-factor authentication. This tactic usually involves a website texting you a special code to your mobile device that you can then insert into a website in order to login. It’s based on the idea that, while a hacker might have stolen your password as part of a password leak, the hacker probably hasn’t also stolen your mobile device.
And, finally, the common sense thing to do to avoid becoming the victim of a password leak is to never re-use a password once you have already used it. In the case of “Collection #1,” which has password data that is as old as 10 years, you can avoid a lot of anxiety simply by never re-using any password that you’ve used in the past decade.
Felix Rosbach, product manager at comforte AG suggests that, “Sometimes there’s no way to be sure that the services we use are protected by an adequate amount of security. The best way to protect yourself is to use different passwords for all your online accounts and change them regularly. Otherwise, if one is compromised, then you can assume they’ve all been compromised.”
So, if you haven’t done so by now, be sure to change the password to your email account. And, if you are really serious about keeping your accounts safe from the prying eyes of hackers, start using a password manager, which will auto-generate secure passwords for you. At one time, it might have been possible to ignore risks to online security, but as this latest massive password leak shows us, the scale of attacks is growing and becoming more severe with time.