Here’s how you can find out if your credentials have been leaked online
-
This is a 104 GB file containing email addresses and passwords.
-
The Pwned Passwords platform allows users to check if they have been affected
We live in a digital world where we have numerous accounts. We are listed on email platforms, online stores, streaming services, mobile apps and many more. And over the years, we accumulate more and more usernames and passwords.
Although we often feel secure, there is a distinct possibility that some of our credentials will eventually be compromised. In general terms, this could be due to an incident on our end, involving users, or involving companies we trust.
Millions of passwords on the forum
Data leaks are an unfortunate reality. Over the years we have seen collections circulating among millions of passwordswhich prompted Google and Microsoft to add tools to check whether passwords stored in the browser have been compromised.
This week, a massive new collection of leaked data surfaced and is being distributed for free on forums frequented by cybercriminals. That’s 71 million email addresses and 100 million passwords stored in plain text.
The leak was discovered by Troy Hunt, a renowned cybersecurity analyst who created this page many years ago. I was banned to help identify data leaks. Hunt explains that he took a sample of the huge 104GB file to get some details about it.
After extensive testing, some of which involved victims, he concluded that the compilation contained real email addresses and passwords, although with one twist: it seemed to contain a lot of old passwords.
Hunt also found that 67% of the data was already included in I Been Pwned, but the remaining 33% were completely new. Either way, that’s millions of passwords that are available to cybercriminals, and in some scenarios this problem can become more complex.
While some services prompt users to change their passwords after a certain time, others do nothing about it. In this sense, it is likely that people whose keys are many years old were affected. But this is not the only problem.
Password reuse also comes into play, a very common practice that attackers can take advantage of. Since email addresses were also exposed, reusable password an information leak could open the door to breaching the security of other services.
As we speak, all the leaked passwords have been added to a service called Pwned Passwords, which allows users to check if they have been stolen. It’s an open source tool from the creators of Have I Been Pwned that promises to protect your privacy.
Pwned Passwords works on the same mechanics as Have I Been Pwned. It should be noted that although it is designed famous actors from the world of cybersecurity, and details of the project are publicly available, users should use this tool at their own risk.
Images: Mika Baumeister | Troy Hunt
In Hatak: someone received 1.8 million euros in cryptocurrency thanks to “cryptojacking”: he was eventually arrested by Europol