Password leaks have become a common part of the news cycle. In 2021, a list of 8.4 billion passwords was compiled from previous breaches and released. The rate of data breaches is only expected to climb, and average users who do not manage their passwords correctly are the most vulnerable.
If you find yourself a victim of the latest hacked dataset, read onwards. Here are the most frequently asked questions about password leaks and data breaches.
What does it mean when my account is part of a password leak?
When your account is part of a password leak, it means there was an incident where users’ logins were retrieved in bulk without authorization. Generally, this is due to poor system configuration. Threat actors will sell the dataset on the dark web or post the password entries online in plain text.
Unlike a data breach, there is no attack in a password leak. There’s only a slight distinction between the two events, but the result of exposing users’ personal information is the same.
You should be concerned if your account was a part of a password leak and you:
- Are you using the same password across multiple websites or services
- Do not use two-factor or multi-factor authentication
- Have a lot of your digital life and information stored online
|I have a complete guide to overhauling your password practices.|
How does a hacker know my password?
When a breach or password leak happens, the data is compiled into a refined list. Cybercriminals use bots to test the username and password combinations to determine if any can be used to log onto online accounts like email, social networks, or banking sites. This is called credential stuffing.
Similarly, suppose a person knows your email address. In that case, they can use a “password spraying” method to test simple unsafe passwords such as “12345” to check if they work with that email address. Bots can also run these tests, and if a match is found, a hacker can use the details to take over your account. While this brute force method of testing passwords is slow, it highlights the need to not reuse passwords across multiple online accounts.
Other methods hackers use to discover passwords include:
- Phishing emails: This is where an email with a malicious link is planted and takes you to a spoofed website before tricking you into sharing your credentials.
- Credential stuffing: A hacker uses programs to bombard your systems with several combinations of exposed passwords and usernames until a match is found.
- WiFi man-in-the-middle: With simple applications, cybercriminals can easily monitor devices accessing public WiFi, collecting passwords and account data.
- Keylogging: A keylogger is software (or sometimes hardware) installed on a computer or mobile phone and secretly monitors your keyboard activity, sending your keystrokes to an attacker.
- Local discovery: Writing down your credentials and leaving them out in the open is another way of inviting hackers.
- Shoulder surfing: An attacker watches your computer operation, looking for credentials and passwords you enter.
How can I check if my password was leaked?
To determine if your password was leaked in a breach, use a service like Have I Been Pwned. This type of service compiles various data breaches, allowing users to check if their data was included in the leak. Users can also set up alerts to monitor news stories for new mentions of data breaches.
Definition: To be pwned is a misspelling of the word owned, which was coined by videogamers to mean totally defeated or hacked.
Other options include Avast’s Hack Check, which scans and shares red flags from different databases of breached data, and F-secure’ s Identity Theft Checker, which checks if your email was captured by any data breach.
I also use Google Alerts to monitor and notify me of any new data breaches or password leak news stories.
Is the Have I Been Pwned (HIBP) website safe to use?
Have I Been Pawned is safe to use. This service is an effective and free-of-charge way to check if your passwords have been leaked in a data breach. Troy Hunt, the website’s author, is a highly respected security researcher and cybersecurity expert.
He created the website in response to the Adobe Hack in 2013, where more than 35 million compromised accounts were affected. Users may search for their email address across a growing list of hacked login credentials. The service only retrieves records that an address exists and what data breach it was compromised from. Visitor email queries are never stored or recorded anywhere.
I also noticed that data breaches categorized as sensitive do not get responses in public searches instantly. It is only possible to view the reaction after verifying your email address. Similarly, domain owners must prove they control the domain in question before searching for breaches through the domain search feature.
How can I secure my passwords?
To secure your passwords, use a password manager; do not reuse a password across services, and do not use weak passwords that are easy to guess. Ensure you use two-factor authentication when available and do not share passwords. These steps will better protect a company’s password leak.
User passwords are an ancient form of authentication. They’re inconvenient, generally weak, and not understood by most people. Sadly, there’s still a default reliance on passwords while the information security industry tests other security paradigms to secure sensitive data and account details.
It’s essential to use a password manager that is open-source and leverages good coding or development practice. Most password vault apps will also take the hassle of coming up with new strong passwords. The tools automatically create a properly randomized value, using the various character sets, and provide a one-click way to copy then paste the secure value into an online account.
|In case you’re wondering, I explored password generators and their safety in an earlier article.|
What is the most trusted password manager?
Bitwarden is one of the most trusted password managers available. This free and open-source software password vault is user-friendly and makes proper password management easy. It has features you would expect in a market-leading brand. It can create, store, and fill in passwords on all your devices.
Bitwarden has a free plan that includes two-factor authentication, syncing across multiple devices, secure card storage, and offline password storage.
I subscribe to the software’s Individual Premium plan for $10 per year to help support this project’s continued success. This paid tier also includes 1GB of encrypted file storage, making it easy to share sensitive documents via an expiring link.
I’ve also used and trusted KeePass, an offline password manager where users can take charge of how they choose to handle their vault file. The user interface is a bit dated. KeePassXC has a more modern user experience, along with a tighter security model and less reliance on third-party components.
Honestly, use any manager that you feel comfortable weaving into online habits. This is crucial to avoid being caught in the next password breach.
What are some of the laws regarding internet and data security?
Laws regarding internet and data security vary between countries and at the state or provincial level. Early computer and electronic communication regulations are now being revised and amended to apply modern technology and internet use.
Here are the notable laws around the privacy and security of online data:
- Electronic Communications Privacy Act (ECPA) [1986, United States]
- Computer Fraud And Abuse Act (CFAA) [1986, United States]
- Datenschutzgesetz (DSG) [1992, revised 2020, Switzerland]
- Children’s Online Privacy Protection Act (COPPA) [1998, United States]
- Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP) [2010, Mexico]
- Personal Information Protection Act [2011, South Korea]
- General Data Protection Regulation (GDPR) [2016, European Union]
- Act on Protection of Personal Information [2017, Japan]
- California Consumer Privacy Act (CCPA) [2018, California, United States]
- Personal Data Protection Act (PDPA) [2019, Thailand]
- Personal Data Protection Bill (PDPB) [2019 tabled, India]
- Protection of Personal Information Act (POPIA) [2020, South Africa]
- California Privacy Rights Act (CPRA) [2020, amends CCPA, California, United States]
- Lei Geral de Proteção de Dados Pessoais (LGPD) [2020, Brazil]
- Digital Charter Implementation Act (DIA) [2020 draft, Canada]
- Personal Information Protection Law (PIPL) [2021, China]