What to do when your username and password are leaked
In mid-January, security researcher Troy Hunt published the details of a data breach he referred to as “Collection #1” – a set of nearly 2.7 billion email address and password pairs. The collection is made up of different data breaches from thousands of sources, and even after eliminating duplicates there were still over 1.1 billion unique combinations of email addresses and passwords.
There were nearly 773 million unique email addresses in the collection, and over 21 million unique passwords after stripping those that were still in hashed form, contained control characters, or were fragments of SQL statements.
Hunt added these email addresses and passwords to his Have I Been Pwned? and Pwned Passwords services, allowing people to check if their credentials were compromised. It should be noted that Hunt stores the email addresses and passwords in unlinked data sets. It is not possible to match a leaked password with its connected email address.
What to do when your credentials leak
If you have been online for any length of time, chances are that your account details from a service have been compromised and leaked online. Among the sites listed on Have I Been Pwned? are data breaches or leaks from LinkedIn, Adobe, Kickstarter, League of Legends, Dropbox, and Disqus.
Not all breaches are equal, however, and in some cases attackers may have got hold of “plain text” passwords, while in other instances passwords may be obscured using a technique called hashing. Whether your leaked password was hashed or not, you should immediately change your password if your data is leaked. If the passwords were leaked in plain text, it just makes it all the more urgent for you to change your password.
If the service hit by the breach sends out a security advisory, also implement the recommended actions they advise you take. If you used the compromised password on more than one website, you should change your passwords on those services too. Take the opportunity to create unique passwords for each site.
Preparing for the inevitable leak
You don’t need to wait for one of your accounts to be compromised in a leak or breach before taking action to better secure your online presence, though.
Good precautionary measures you can take are:
Use unique passwords. Stop reusing passwords for your online accounts.
Use strong passwords. Change passwords that are too short and don’t include a variety of different characters.
Adopt a password manager. This helps you store unique passwords for all your online accounts in a secure way, allowing you to only remember one master password.
Enable two-factor authentication. Similar to the one-time PIN or app-based authentication South African banks use, this helps secure your accounts in the event that your username and password are compromised.