Billions of usernames and passwords leaked online — what you should do right now

An open lock depicting a data breach
(Image credit: Shutterstock)

The usernames and passwords of billions of users have been exposed online after the digital risk protection company DarkBeam left an online database unprotected.

As reported by Cybernews, the CEO of the cybersecurity firm Security Discovery, Bob Diachenko first discovered the leak on September 18. However, the database has now been properly secured. Unfortunately though, over 3.8 billion user records were accessible to anyone during the period in which the database was left exposed online.

It’s worth noting that all of the leaked email addresses and passwords in this database actually came from previous data breaches. Apparently, DarkBeam had been collecting this information to alert its customers in regards to future data breaches, though it’s highly likely that this leak affects non-customers as well.

As we’ve seen in the past with the recent TMX Finance data breach, these kinds of leaks are often the work of hackers. However, that doesn’t seem to be the case this time around and as Diachenko points out, data leaks like this one can occur as a result of human error; like when an employee forgets to password-protect a large database containing sensitive information.

Since this leak contains usernames and passwords from both reported and unreported data breaches, there’s a chance that your login credentials may now be compromised, even if you’ve never heard of DarkBeam before.

Highlighting the dangers of password reuse

Holographic login above laptop keyboard

(Image credit: Song_about_summer / Shutterstock)

After analyzing the leaked data, Diachenko discovered that there were a total of 16 collections named “email 0-9” and “email A-F” with each containing approximately 239.635,000 records.

With all of this data left exposed online — even for a short period — it’s likely that hackers downloaded it to use in future attacks. For instance, they could use the exposed email addresses in targeted phishing attacks. It’s more likely though that any cybercriminals with this data will try and use the usernames and passwords at a number of different sites to see if any of the victims reused the same passwords.

Password reuse is a big problem and this is because if you use the same password and username for multiple accounts, hackers can then use your stolen credentials to login to your other accounts. This is why you want to create strong, complex passwords for all of your accounts. 

While 3.8 billion credentials is a lot, the largest leaked password collection so far, dubbed RockYou, contained 8.4 billion passwords which were also likely obtained from previous leaks and data breaches.

In a statement sent to Tom's Guide, a Darkbeam spokesperson provided further insight on the leak and the kind of data which was exposed, saying:

"A third-party researcher notified us of a single unprotected instance containing a compilation of publicly available data collected by a Darkbeam researcher in 2020. We immediately closed access to this instance which contained research on previously discovered cyber breaches occurring between 2018 and 2019 and was created for the purpose of developing Darkbeam’s compromised accounts identification tool prior to the launch of our platform. No Darkbeam client information or data related to our systems was exposed and there is no evidence of unauthorized access except on September 19th by the researcher."

How to see if your credentials were leaked

A woman looking at a smartphone while using a laptop

(Image credit: Shutterstock)

Anytime there’s news of a big data leak like this one, it’s always a good idea to see if your own credentials have been compromised. There are several different ways to do this and while Cybernews has its own personal data leak checker, you can also use Troy Hunt’s popular HaveIBeenPwned or Mozilla’s Firefox Monitor.

Any of the tools linked above will let you know if your credentials have been compromised so that you can go and manually change them. If you’re worried about this taking a lot of time, many of the best password managers can actually change your passwords automatically.

For those whose credentials are included in this latest data leak, you’re going to want to enable two-factor authentication (2FA) for your accounts if you haven’t already. Likewise, you’re going to want to be on the lookout for suspicious emails and text messages from unknown senders. It’s also a good idea to use the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your smartphone to avoid falling victim to any malware suspicious emails may contain.

Unfortunately, data leaks like this one have just become a part of life. However, if you take the right precautions and react accordingly after one, you’re less likely to have your accounts taken over by hackers or to fall victim to identity theft; though this is more common when Social Security numbers and other highly sensitive personal information is exposed online.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.