By Erick If you have ever generated a password in your life, you are the target of a data breach. And if you have used major platforms such as Apple, Google, Facebook, Instagram, GitHub, Telegram, and even some government portals, your password has likely been exposed and is out there for cybercriminals to use. Read on to understand why and what you should immediately do.
What’s the 16 billion password story?
A few days ago, Cybernews broke the story that their cybersecurity researchers, led by one Vilius Petkauskas, uncovered a massive data leak that contains a total of 16 billion credentials. Read again, over 16 billion login credentials, including passwords, usernames, and associated data, were leaked online. This is considered the largest data breach in history by volume of credentials exposed. The data was found in 30 separate datasets, each ranging from tens of millions to over 3.5 billion records.
The leak is not a single data breach but rather a massive aggregation of multiple breaches and info-stealer malware logs. Most of the leaked data comes from info-stealer malware, credential stuffing sets, and repackaged leaks. The information is highly structured, typically as a URL followed by login details and a password.
For me what is more scary is this – the majority of the datasets had not been previously reported as exposed, meaning most of the data is new and not just recycled from old breaches. Also, these credentials may be duplicates over one or ore databases, but think about it there are today around 5.5 billion internet users globally, and this is 16 billion login credentials.
Why you ARE impacted and should be worried
As written above, anyone who has used major platforms like Google, Facebook, Apple, etc. Essentially, anyone could be impacted. The leak is global, affecting users of major platforms and services worldwide. Given the scale and variety of platforms involved, virtually anyone with an online account could be at risk. It is impossible to determine exactly how many individuals or unique accounts are affected due to overlapping and duplicate records across the datasets.
But for me, this story is more than that. I have been following this story since it broke. There are so-called cyber security publications who have been calling it a farce. Their argument is that this is only an aggregation of previously stolen databases that someone just consolidated into one place.
Nevertheless, if that is true, the fact that one cyber criminal or group of criminals could have access to 16 billion login credentials should be a worrying sign. Even one password compromised is a cyber incident, and should be prevented.
What a cyber criminal could do with your login credential
I have said this many times before, but it’s always good to be reminded. If a cybercriminal gains access to your login credentials, the consequences can be severe and wide-ranging for you and also those around you.
Here are some of the main harms that could result:
- Account Takeover: Attackers can log in to your accounts as if they were you, gaining full access to your emails, social media, banking, and other online services. This is especially common in India, with people taking over your Facebook account and messaging everyone on your friends’ list asking them for money, or taking over their account.
- Financial Fraud: Criminals may use your credentials to make unauthorized purchases, transfer funds, or apply for loans and credit in your name. Or simply use your credit card.
- Identity Theft: With access to your personal information, attackers can impersonate you, open new accounts, or commit fraud that damages your credit or legal standing.
- Spam and Phishing Campaigns: Compromised accounts are often used to send spam, launch phishing attacks, or distribute malware to your contacts. A verified email account (i.e. an email id belonging to a real person) is gold for spammers.
- Malware Installation: Attackers may install malicious software on your devices or within your organization’s network, leading to further breaches or ransomware attacks.
- Business Email Compromise (BEC): If your work email is compromised, attackers can impersonate you to trick colleagues into transferring money or sharing sensitive information. Imagine getting fired from your job because someone impersonated you and sent sensitive company information to a competitor.
- Operational Disruption: Unauthorized access can disrupt business operations, delete or manipulate data, or lock users out of systems. Getting email back to normal (also called Business Continuity Management) is a monumental task.
- Legal and Regulatory Penalties: Organizations may face fines and legal action for failing to protect user data, especially under regulations like GDPR or CCPA or the Indian equivalent (I’ll make a separate post on the state of privacy regulation in India – a lot of you have been asking. I promise!).
At the very least – if you’re still on Facebook, how many times have you received notifications from your friends saying that their accounts were hacked and any message from them asking for money was NOT them?
What is the simplest measure I can take to protect my password
A few years ago, I would have said the following which are applicable even today and should be followed:
- Don’t repeat your passwords i.e. don’t use the same password for multiple platforms or services
- Use a complex password that includes special characters. For example, J0hn@21xx is more complex than John@21xx, subtle but effective change.
- Do not write passwords down on paper, or on a notes app on your phone.
- Do not tell your passwords to your friends, family or even your spouse (even if your password is your wife’s name and you want to impress her)
- For password recovery measures, choose security questions that are not that easy for others to guess. For example, ‘When is your birthday’ is a lousy security question because anyone can perhaps look up your LinkedIn profile where you have made your birthday public. But, ‘what was the name of your first teacher’ is a much better question because very few others would know the answer.
- Use two factor authentication wherever possible.
What you can also do now, is use a password manager even if you have to pay for a good one, like 1password (NOT sponsored). I use iOS so I just use my iPhone password manager. There are many good ones out there, and it would be worth the subscription cost if you have to pay for a premium one. If you use one, please comment your recommendation below.
Ultimately, the biggest risk (or at least one of the biggest risks) in the world today is cybersecurity. Information is move valuable than oil, and personal information i.e. personal data is the most valuable form of information because in the wrong hands it can make some criminals rich and cause some serious harm.
Thanks for reading, share this post with your loved ones so they can stay safe and stay informed!