If you haven’t checked to see if your credentials have been stolen by hackers, you absolutely should as 1.3 billion unique passwords along with 2 billion unique email addresses have been exposed online.
No, this isn’t another data breach where a major company or retailer’s systems were infiltrated by hackers. Instead, the threat intelligence firm Synthient scoured both the open and dark web looking for leaked email addresses and passwords. If the company’s name sounds familiar, it’s because they recently came across 183 million leaked email accounts.
This time though, Synthient aggregated all 2 billion emails and 1.3 billion passwords and with the help of Troy Hunt and Have I Been Pwned, you can now search through them all to see if your personal data was exposed online. Here’s everything you need to know including how to check to see if any of your passwords are compromised.
From the dark web to Pwned Passwords
This enormous trove of stolen data was compiled by Synthient founder Benjamin Brundage, who scoured countless locations on the open and dark web where cybercriminals typically circulate leaked credentials. The data itself is a mix of old credentials from past breaches and newer logins stolen by widespread Info-stealing malware that captures user data directly from infected PCs. As Troy Hunt points out in a blog post, the two then worked together with Brundage providing the data and Hunt verifying it.
In order to verify this stolen data, Hunt started with one of his old email addresses that he knew had ended up on credential stuffing lists before. Unsurprisingly, that address and several passwords associated with it were contained within the trove of data provided by Synthient.
With his own data verified, Hunt then reached out to a handful of Have I Been Pwned subscribers to ask for their help doing the same thing. By picking a mix of subscribers whose data had been exposed briefly and some who had never been involved in a data breach before, he was able to determine that there was in fact new data in this collection and not just recycled email addresses and passwords.
Have I Been Pwned loads the exposed passwords it comes across into the separate Pwned Passwords service. Crucially, Pwned Passwords never stores or indexes the corresponding email addresses, ensuring your privacy and protecting against misuse of the database.
To check to see if any of your current passwords have been stolen in a data breach or exposed online, head to the Pwned Passwords search page and input them there. Have I Been Pwned uses an anonymity model to check them which means the service doesn’t see them and instead of being processed over the cloud, all of that’s done right in your browser.
If one of your passwords does show up in Pwned Passwords, you should change it immediately as cybercriminals are in possession of it. While you can use one of the best password managers to generate a new, more secure password for you, there are also many free password generators online that can do the same thing. For instance, Bitwarden, LastPass and ProtonPass all offer free password generators in addition to their paid password managers.
How to keep your passwords safe from hackers
When it comes to preventing your passwords from falling into the wrong hands, the most important thing you can do is to avoid password reuse. You should never reuse the same password and email address across multiple sites or online services and the reason for this is simple: once hackers get their hands on a set of credentials, they will try to use them at other sites to gain access to your accounts. This is known as credential stuffing and given how many people still reuse passwords, it’s highly effective.
From there, you want to create strong, complex and unique passwords for all of your accounts. Using a password generator like the ones mentioned above or better yet, the one included in your password manager is the easiest way to do so.
Even the strongest password can be compromised in a data breach. This is why Two-Factor Authentication (2FA) is non-negotiable on every important account. By requiring a second verification method (like a code from an authenticator app or a physical key) in addition to your password, you ensure that even if a cybercriminal has your stolen login details, they cannot access your account.
Besides using strong and unique passwords, you must actively protect your devices from malware using the best antivirus software on PC, the best Mac antivirus software on your Apple computer and the best Android antivirus apps on your Android smartphone. This is crucial because hackers often rely on info-stealing malware (also known as infostealers) delivered via phishing attacks to directly siphon your passwords and sensitive information from your devices before you even log into a site.
If you want to ditch passwords altogether for even more secure logins, you may want to look into using passkeys instead. For those unfamiliar with them, passkeys are a new, highly secure way to log into your accounts that uses a pair of cryptographic keys instead of a string of letters, numbers and symbols. They can’t be guessed or reused and best of all, they’re completely resistant to phishing attacks.
Think of your passwords like the front door of your home. The stronger they are, the harder it will be for hackers to get in. Unfortunately though, even if you practice perfect cyber hygiene online, your passwords and other sensitive data can still end up in the hands of hackers as the result of a data breach. This is why I personally believe passkeys are the future and recommend using them wherever they are supported.
Although we often rush to change our passwords and secure our accounts after a scary security headline like this one, by staying on top of your digital life and taking proactive steps more frequently, you’ll be one step ahead of hackers.
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
