The emails and passwords of 773 million people have been put up for grabs on the internet. Get the details on how to check if your info has been released and how to protect your website and other online accounts.
About the Data Breach
Microsoft regional director Troy Hunt originally broke the story on Jan 17. 2019.
Because the name of the file with the info is titled Collection #1, that is what he has dubbed the breach.
It is a massive collection of multiple smaller breaches from several hacker sources.
Hunt was alerted to a large file on the popular MEGA cloud storage service containing 87GB of data across 12,000 different files.
Word quickly spread across hacker forums that the data was available for download. It is unknown how many downloads took place before the files were removed.
Hunt discovered that one of his own email/password combos was correctly listed in the file. That despite his password having been “hashed” or encrypted.
The MalwareBytes site reports that much of the leaked data is at least 2 years old.
But, since so many folks rarely update their passwords, much of the data is still useful to hackers.
Check if Your Data Was Listed
Hunt is also the driving force behind the “Have I Been Pwned?’ (HIBP) site and free service that alerts folks if their data has been shared in such data breaches.
Of the 2.2 million folks already registered with that service 768,000 of them were listed in the Collection #1 files.
Check Your Emails
Before you do this check, don’t be shocked if every email address you enter has been pwned.
Go to https://haveibeenpwned.com/ and check every email address you use for online accounts to see if it is listed by the service.
Check Your Passwords
The pwned email database does not list any passwords in conjunction with the emails.
To check any past or current passwords you’ve used, go to https://haveibeenpwned.com/Passwords
If you see any current ones listed, keep in mind that it may not be from this current Collection #1 breach. It could have been from a separate, previous leak. But, that still means that the associated account may be at risk for being hacked or otherwise compromised.
How to Protect Your Online Accounts
Your online security starts with you!!!!
Take these steps to make all of your online accounts more secure.
Use super strong passwords.
Strong Random Passwords is my favorite site to help create a unique password. Set it to 16 characters and check all the boxes to add as much gobbly goop as you can, especially special characters.
Never use the same password twice.
All it takes is one data breach on one account and hackers can access every other account you have with the same info. Create a unique password for every single account, no exceptions.
Use a Password Manager
Forget trying to make passwords that are easy to remember. They are easy to hack too!!!
LastPass is the #1 password manager. It remembers each password and the account it is associated with. It’s free to use on one device and $2/mo to use on multiple devices.
Rotate Your Passwords Annually
All of them. That includes every online account you have every signed up for.
I have over 100 accounts and I rotate 5-10 at a sitting. Takes me less than 15 minutes a pop.
I also have a protected spreadsheet in a digital vault with a list of all of my online accounts. (No passwords are on that sheet.)
Every time I create a new account it gets put on that sheet right that minute.
Start your sheet as you update your passwords. That will save you a lot of time next year.
Never send account info in open email
Google docs is a great way to share account info with support folks. You can complete control the access of who can see the info. And you can send the link to the doc in emails. Even if a man-in-the-middle attack is spying on the data as it travels across the internet, and even if they get the link, they still can’t access the doc.
Change Password After Support Access
If you ever need to share your account with tech support, be sure to change that password after they have finished. You have no idea what they do with those tickets or emails later, or if they are at all secured.
Limit Access on Apps
Check your social media accounts, especially Facebook, for any apps that may have access to your account. Delete as many as you can. And seriously consider whether you really need any of the others.
Limit Logins from Profiles
Yeah, it may be convenient to use your Facebook or Twitter login to access other sites, but now you’ve put both of them at risk. It’s just as easy to use your email or username and let LastPass handle the password part of the login.
Close Online Accounts
If you no longer use it, close it.
Now, that’s no guarantee that they will wipe their system of your info, but you can ask them to before you close the account.
Get Your Whole Site Secured
Site security and performance go hand-in-hand.
Bots are ALWAYS trying to break into sites to steal emails.
Little, unprotected sites are their favorite prey.
And, those can turn into a back door to a whole shared hosting server and then they can attack everyone from within.
Plus, all of those bad bots are chewing up the hosting resources you should be reserving for humans.
That makes your site slow, meaning you lose visitors. It can also cost you more money for extra hosting.
A site audit is THE best way to see everything that is hitting your site (and no, Google Analytics won’t show you the bots).
On average, I find 26 security and performance holes that no plugin scanner finds.
Get those holes plugged!!! Get your site faster!! And make, and save more money.