It’s time to talk passwords, again. It’s only been a week or two since World Password Day. With the discovery of a data breach mother lode, it was great timing. Congratulations on updating your password. Great job on doing that thing. High five!
Wait, you did update your passwords, didn’t you?
Oh, you’re too busy at work? Yeah, I suppose it is time-consuming, and there are better things to do online. And you’re probably right, this kind of thing only happens to other people.
Except it doesn’t just happen to other people. There’s a good chance your password has been breached already, and your unchanged passwords could still be out in the wild, ready to be bought by anyone who wants to ruin your day.
I know this doesn’t just happen to other people, because it happened to me. I’d forgotten to update my password on a website which I don’t regularly use. For the sake of my privacy, let’s call this website GlinkedGin. My memory is too full of song lyrics and useless facts to store another new password, so I used that old password on yet another website. It seemed like a flawless plan, and it didn’t work at all, and my account was breached.
A mega-database of personal data
Previously, if you’d heard about a data breach on any website you’d be quick to change that single password. But these separate breaches are being now collated. The most recent discovery, just this week, is a database of 243.6 million unique email address and password combinations. This gigantic public database was discovered during a security audit by Kromtech Security Center. To put that into perspective, that’s terabytes of personal data ready for the taking.
The personal information inside is a ‘combo’, a combination of personal info from previous breaches (remember the LinkedIn breach and the Tumblr breach?) and, as reported by the owner of the very useful Have I Been Pwned Troy Hunt, lots of new login details to boot.
How much is your data selling for?
Your email address and potentially more than one of your passwords exists on the same database, for anyone to buy and use. Troy reports in his blog that you can buy 210,000 login details for the price of a pair of trainers, a measly £54 ($70). With some quick maths, that’s your password sold for £0.0002. Even if you’ve got two passwords and regularly change them, a cybercriminal could now get hold of both (or more) of your passwords from different breaches for less than a penny, and attempt to login to all your accounts with them which doubles/triples, or even quadruples their chances.
How can I protect myself?
Update all your passwords! It’s that simple. There’s no doubt that these databases will continue to be combined, building a more detailed profile of you and your password habits. With a tinfoil hat on, I’d even cautiously predict that it won’t be long until these cyber-criminals could use machine-learning to work out your password creation method, if you’ve got one; adding the first letter of each website to your password for example.
Your personal details are becoming a currency of their own, and you should think about your personal information the same way you’d look after your finances – by assuming that if someone could steal it from you anonymously, they probably would.
You can see if your email exists on this newly discovered list by checking Have I Been Pwned. Even if you’re clear for now, it’s still a good idea to use a password manager and update all your passwords –that means all passwords, even for accounts you rarely use.
Find out more about UKFast is defending you and your business from cybercrime with our Security Solutions.