A little more than a week ago, we saw perhaps the single largest data breach dump in history. This followed another massive data disclosure from the same group just a couple weeks prior. Dubbed “Collections 1-5”, together these data dumps represent literally billions of unique user email addresses and passwords. While many of the records appear to be from server breaches as much as 3-4 years old, if your information is part of this treasure trove, you need to change your password – especially if you were reusing that password on multiple sites!
Have You Been Pwned?
Thankfully, there’s a wonderful and free online tool that will allow you to check this: Have I Been Pwned (haveibeenpwned.com). The term “pwned” (rhymes with “owned”) is used by hackers and video gamers to mean that they have conquered, hacked or otherwise subjugated someone. So if your online account credentials have been leaked, you’ve been pwned!
Now you might be thinking: why would I enter my email addresses, much less my passwords, on this website? It’s a perfectly valid question. You are definitely putting your trust in the site not to abuse the email addresses or somehow try to use the passwords. But I’ve actually interviewed the site owner, Troy Hunt, and I know that his only goal here is awareness. He won’t email you unless you explicitly sign up for future notifications. You can even opt out of showing your information on his site, if you wish. And the passwords are only compared against the ones he’s obtained. I’ve used the site myself and I’m not at all worried.
It’s Time to Stop Reusing Passwords
The real take-away here is that you can’t keep reusing passwords on multiple websites and accounts. When Site A is breached (say Yahoo.com) that site will probably ask you to reset your password. But if you used that same password on Sites B, C and D and you don’t change those passwords, then they’re completely vulnerable.
The solution is to use a password manager, like LastPass or 1Password. These tools will help you generate and store crazy, long, unique passwords that will be impossible for hackers to guess. You won’t have to remember them. When you visit the website, the password manager will auto-fill your credentials.
You should also be using two-factor authentication wherever you can. This requires you to have your cell phone with you when you first log into a website. The point is that bad guys won’t have your cell phone so if they manage to guess your password (or bypass the check), they still can’t get in.