Almost every week or, to be optimistic, every month, news is heard about data stolen by hackers who managed to steal access credentials to an important site .
The last of these days is the biggest data theft ever spread online, with even 773 million emails and 21 million hacked passwords (this difference depends on the fact that many use the same password) and published, made available to everyone those who want to try them in various web or bank accounts.
This means that even if our email address that we use to access Facebook, Google or the online bank is included in this huge list and we have never changed the password in recent times, anyone can try it and easily steal our account. .
As usual, it is always recommended to immediately change the account password which may have been compromised.
But the problem doesn't end so easily.
READ ALSO: Notice of password change if compromised or already used in Chrome
The point with these password thefts is this: if I have an account with Linkedin that has ended up in these lists that run on the deep web or that are offered for sale by hackers, if for this account I used an Email address and a password that I'm also using it for other accounts like those of Google, Facebook, Microsoft or others, then these too are really at high risk and you have to change their password too.
We talked about these dynamics in a specific article explaining simply "how passwords are stolen on the internet".
As those who discovered this list of stolen emails and passwords explain, that is Troy hunt manager of the Have I Been Pwned site, malicious people around the world, hackers or even simple curious, can download these lists that contain our e-mail addresses. mail and password and try to see where they work.
The success of this approach is based on the fact that people reuse the same credentials across multiple services.
By coincidence, just last week I wrote about credential-filling attacks and how they led many people to believe that Spotify had suffered a data breach. In that post I incorporated a short video that shows how easily these attacks are automated and I want to include it again here:
To avoid nasty surprises, in order not to be victims of password theft due to compromised sites or databases made public on the internet, there are two strategies to be used:
- Choose safe passwords that are impossible to discover, using mental mechanisms that allow us to remember them (for example by combining the initials of a sentence) and using different passwords for each website or account.
- Use an automatic password manager, i.e. a program that generates random passwords for each web account so that the only password to remember is the main one.
To check if your email address ended up in some list of accounts with logins and passwords stolen by hackers, there are three free online services that have cataloged the various data thefts of today and the past, allowing everyone to verify both both email and password.
Haveibeenpwned.com, the site that discovered the biggest stolen email list ever, is one of them and it's really easy to use.
On the main page you can immediately check your email addresses and see if they are in the now published lists and can be used by anyone for spam or hacking attempts.
For example, in my test, it turned out that the email address that I use most to register online for websites is present in several of these lists, including the one called Collection # 1, the one that combines email and password discovered just in these days of January 2019.
It has also been published in other lists, including the one extracted from Linkedin in 2016, from Tumblr in 2016, from MySpace in 2008 (then published in 2016) and several others.
This means that every account in which I use that Email address with an unchanged password compared to a few years ago (or a few months ago) is at risk of being stolen.
I am therefore forced, for all the sites (let's say the important ones) where I am registered with that email address and to which I have never changed my password after the date indicated by Haveibeenpwned, to change my password in order to feel comfortable.
Speaking of passwords, however, it is not that I can use any of them.
In addition to choosing a difficult one to discover, it is also necessary to use one that is not present in the stolen lists and published online.
In Haveibeenpwned.com, press at the top where Password is written to check your password and see if this has been discovered thus becoming useless .
Another site where you can do the same type of checking of violated accounts, by entering the email address used or even the login username, is breachalarm.com .
Like Haveibeenpwned, it has lists of accounts stolen in the various cyber attacks of the past years in its database and can tell us if it has found our address.
Firefox Monitor is a similar service provided by Mozilla, which tells us if the email address used to log in to one or more web accounts has been involved in data theft and thus becomes at risk of being compromised.
The account control service can also be automated with the Windows 10 app, Hacked .
The last of these days is the biggest data theft ever spread online, with even 773 million emails and 21 million hacked passwords (this difference depends on the fact that many use the same password) and published, made available to everyone those who want to try them in various web or bank accounts.
This means that even if our email address that we use to access Facebook, Google or the online bank is included in this huge list and we have never changed the password in recent times, anyone can try it and easily steal our account. .
As usual, it is always recommended to immediately change the account password which may have been compromised.
But the problem doesn't end so easily.
READ ALSO: Notice of password change if compromised or already used in Chrome
The point with these password thefts is this: if I have an account with Linkedin that has ended up in these lists that run on the deep web or that are offered for sale by hackers, if for this account I used an Email address and a password that I'm also using it for other accounts like those of Google, Facebook, Microsoft or others, then these too are really at high risk and you have to change their password too.
We talked about these dynamics in a specific article explaining simply "how passwords are stolen on the internet".
As those who discovered this list of stolen emails and passwords explain, that is Troy hunt manager of the Have I Been Pwned site, malicious people around the world, hackers or even simple curious, can download these lists that contain our e-mail addresses. mail and password and try to see where they work.
The success of this approach is based on the fact that people reuse the same credentials across multiple services.
By coincidence, just last week I wrote about credential-filling attacks and how they led many people to believe that Spotify had suffered a data breach. In that post I incorporated a short video that shows how easily these attacks are automated and I want to include it again here:
To avoid nasty surprises, in order not to be victims of password theft due to compromised sites or databases made public on the internet, there are two strategies to be used:
- Choose safe passwords that are impossible to discover, using mental mechanisms that allow us to remember them (for example by combining the initials of a sentence) and using different passwords for each website or account.
- Use an automatic password manager, i.e. a program that generates random passwords for each web account so that the only password to remember is the main one.
To check if your email address ended up in some list of accounts with logins and passwords stolen by hackers, there are three free online services that have cataloged the various data thefts of today and the past, allowing everyone to verify both both email and password.
Haveibeenpwned.com, the site that discovered the biggest stolen email list ever, is one of them and it's really easy to use.
On the main page you can immediately check your email addresses and see if they are in the now published lists and can be used by anyone for spam or hacking attempts.
For example, in my test, it turned out that the email address that I use most to register online for websites is present in several of these lists, including the one called Collection # 1, the one that combines email and password discovered just in these days of January 2019.
It has also been published in other lists, including the one extracted from Linkedin in 2016, from Tumblr in 2016, from MySpace in 2008 (then published in 2016) and several others.
This means that every account in which I use that Email address with an unchanged password compared to a few years ago (or a few months ago) is at risk of being stolen.
I am therefore forced, for all the sites (let's say the important ones) where I am registered with that email address and to which I have never changed my password after the date indicated by Haveibeenpwned, to change my password in order to feel comfortable.
Speaking of passwords, however, it is not that I can use any of them.
In addition to choosing a difficult one to discover, it is also necessary to use one that is not present in the stolen lists and published online.
In Haveibeenpwned.com, press at the top where Password is written to check your password and see if this has been discovered thus becoming useless .
Another site where you can do the same type of checking of violated accounts, by entering the email address used or even the login username, is breachalarm.com .
Like Haveibeenpwned, it has lists of accounts stolen in the various cyber attacks of the past years in its database and can tell us if it has found our address.
Firefox Monitor is a similar service provided by Mozilla, which tells us if the email address used to log in to one or more web accounts has been involved in data theft and thus becomes at risk of being compromised.
The account control service can also be automated with the Windows 10 app, Hacked .
