Millions of account usernames and passwords were leaked in the past month. What are the chances yours were in the list?
The news has been littered with data leaks from some household names – LinkedIn, MySpace, Twitter, to name a few. Apparently, the seller by the name “peace_of_mind” is low on funds and selling these large troves of data that were compiled years ago.
Here’s a quick synopsis of each data leak:
The story is that LinkedIn was hacked in June 2012. The data being sold includes information for 165 million accounts. In response, LinkedIn is resetting all passwords that haven’t been changed since 2012.
LinkedIn was using SHA-1 to hash the passwords. Basically, they were using encryption that’s known to be vulnerable to low level attacks for over a decade.
The bundle of data from the LinkedIn breach is selling for 2 bitcoin ($1,100) on the dark web.
The fun game of “Guess that Password” shows us that the top three passwords obtained in the data dump were “123456”, “linkedin”, and “password”.
When was the last time you thought about MySpace? That was so 10 years ago… literally.
The MySpace data dump involves the information for a whopping 360 million accounts, and is being touted by some as the largest data breach of all time.
Accounts created on MySpace’s old platform, prior to July 2013, were compromised. The early indication is the breach occurred in late 2008 or early 2009.
Passwords on the MySpace’s old platform were also hashed with SHA-1 and reflect the poor security practices of old.
The trove of information from the MySpace breach is selling for 6 bitcoin ($3,200) on the dark web.
The Twitter incident is the most recent to take over the headlines. Apparently, a database of 33 million accounts is being sold for 10 bitcoin ($6,000).
This case is a little different as it doesn’t look like Twitter is the cause of the incident. Experts are pointing to users as the victim of attack. The information was acquired starting at the beginning of last year. Browsers infected with malware sent hackers the login credentials as users entered them on the Twitter site.
These are all part of a recent pattern of large breaches from several years ago being uncovered. The breaches all seem to be from an era where security measures – especially with stored passwords – were not as strong.
The common response is “Why would old login information be valuable? I haven’t even logged into MySpace in 10 years. Let hackers have that account.”
The value in the information being sold apples to account takeover in other areas – i.e. email accounts, bank accounts, etc. Many people reuse the same login information for multiple sites, and the data from these breaches could give access to those more sensitive accounts.
The number is probably pretty high of those that haven’t updated their passwords since these breaches several years ago, or still use the same passwords for their email accounts. Others, like Facebook, Netflix, and Reddit, are taking a proactive approach and resetting passwords to mitigate the risk of users’ accounts being hacked.
The safe strategy is to just change passwords for any accounts you don’t want hacked. And if you haven’t changed your password since these hacks years ago – shame on you. Stop reading and go change your password.
The other best practice to note is don’t use the same password across multiple accounts. We know this gets harped on a lot, but when users complain about their accounts being hacked, it needs to be repeated.
***Note: Spammers will probably be keen on the volume of available email addresses released from these data breaches. If you’re still using the same email from several years ago, you might see an uptick in the emails sitting in your spam or junk folder.