The risks of unintended exposure, and the steps to take next.
It seems we hear about a data breach at one company or another every week.
Eventually, one of those breaches will contain your data. What do you do?
As with almost everything: it depends.
Become a Patron of Ask Leo! and go ad-free!
If You're Breached
- If your email address is in a breach, all you should do is remain vigilant for phishing attempts on that address.
- If your password is in a breach, especially if the passwords are not described as hashed, stop using that password anywhere and change all accounts previously using it to strong, unique passwords.
- Remember that the information collected across multiple breaches can facilitate identity theft and sophisticated phishing attempts. Always remain on guard.
What is a data breach?
A data breach happens when a company, small or large, accidentally allows some or all of its data to be accessed by someone who’s not supposed to see it. That someone makes a copy of that data, generally for malicious purposes.
The value is in the data — exactly what was accessed and copied?
The risk is also in the data — and how we respond depends on exactly what was accessed and copied.
We’ll look at the two specific pieces of data we care about the most: email addresses and passwords.
Email addresses in data breaches
Perhaps the single most common piece of information discovered in the widest variety of data breaches is your email address. The reason is simple: it’s your email address these companies use to communicate with you, and it’s often used when you sign in to an online service. Quite often, recovery or alternate email addresses are also included in a breach.
What should you do if your email address is in a breach?
Nothing.
More correctly, there are no actions you need to take other than continuing to be on guard for spam — and specifically, for phishing attempts.
Email addresses, while “private”, are almost a form of public information about you. We use them in so many different places that, even if we’re careful, it’s simply not reasonable to assume that our email address will remain forever secret. The mere fact that we all eventually get spam tells us that email addresses are almost guaranteed to fall into the hands of people we’d prefer didn’t have them.
Oh well.
The reality is that it will happen and has probably already happened. Discovering your email address in a data breach is little more than it having happened again — with one important exception I’ll discuss below.
Passwords in data breaches
There are two distinct scenarios that you need to watch for when you hear of a data breach, and the difference boils down to one word: hash.
If a data breach is described as containing “hashed” passwords, then your password has not necessarily been exposed. Hashes are the technique services use to store information about your password without actually storing the password itself (if they are doing security properly). It is typically not possible for a password to be recovered from a hash.
If a data breach is described as containing passwords without mention of the word hash, then if your information is in that breach, it’s likely your password has been exposed. This means you should:
- Change your password at that service immediately.
- Never use that password anywhere else again.
- If you had been using that password anywhere else, change all of those as well, making sure to choose a different password for each service.
Now, I had to get a little vague about “services doing security properly”, as well as it being “typically” not possible to recover a password from a hash.
It’s possible to implement hashes improperly, and some poorly constructed hashes can be reverse-engineered into their originating passwords, particularly if the passwords are short.1 Unfortunately, we don’t know who does password security well.
The upshot? It’s safest to change your password if you hear of a breach that includes password information, hashed or not.
Everything else in data breaches
Data breaches often contain much more than just email addresses and passwords. They’ve been known to contain names, physical addresses, phone numbers, tax identification numbers, licensing information, and much, much more. Exactly what each contains varies from breach to breach.
There are two things that can happen with all this information:
- Identity theft. Depending on the amount of data collected — possibly across multiple breaches — it may be possible for hackers to gather enough information about you to be able to set up accounts in your name, run up huge bills, and leave you holding the bag. Take advantage of any identity-theft protection offered by the breached party, if they make it available, and consider setting it up yourself if they don’t.
- Phishing. One of the most common ways that breached information is used — especially your email address, as I alluded to above — is to craft highly targeted and legitimate-looking phishing emails. If, through the data harvested in one or more breaches, the hackers determine that you have account #123 at Some Random Bank using your email example@randomisp.com, then you’re very likely to get official-looking emails claiming to be from Some Random Bank that are not. Even if the messages include your account number, it’s very possible they could be fake.
Honestly, the only true solution for you and I is to remain skeptical and ever vigilant. Watch those emails for possible scams and phishing attempts. Keep an eye on your credit report and credit cards for suspicious activity, and report it as such the moment you see it.
Breaches for services you’ve never used
Your question mentioned that the breach was for a service you’ve never used or signed into, or perhaps even heard of.
This happens more often than you’d think, for a variety of reasons. The two most common:
- The breach happened at a parent company, or subsidiary, of a company you use.
- The breach happened at a company providing services to a company you use.
There may be other scenarios as well.
The important message here, though, is don’t discount breaches claiming your involvement, even if it’s a company you’ve never heard of. Read the details available, and you may find that you were indirectly involved and need to take action as described above.
More monitoring
One of the best ways to stay on top of new breaches is to subscribe to a service called Have I Been Pwned. Enter your email address, and the service will check to see if it appears in any previous breaches (chances are it will) and generate a report. Then it will email you a notification if your email address appears in any future breach. It’s generally more timely than waiting for some company to admit it’s been breached and notify its customers.
Another tool from the same source is Pwned Passwords. This site will tell you if a password you enter has ever appeared in a breach. If it has, you should stop using that password immediately. Yes, this does mean you’re entering your password into a third-party site or service. In the same way that services don’t store passwords, neither does Pwned Passwords. Ultimately, you need to trust them to use the service. I definitely do.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Rainbow tables contain hashes and corresponding passwords for all possible passwords up to a certain length, as well as all discovered passwords of any length. Just another reason it’s important to use a long password and a different password for every site.
Another thing we did a little while ago was to click on “forgotten password” to test the security of sites we visit. If the resulting email told us our password rather than providing a link to change it ourselves we deleted our account with that entity, thankfully it appeared to only be minor sites that did not matter much to us. All the important accounts should, as Leo wrote, be hashed and the entity will not know your password, and they should just send a link to change it yourself. This is a simple way to check for yourself if they care about password security, because if they don’t and they get hacked your email address or user ID and password will be out there.
I like the idea of clicking on “forgot password” to test the security of a website, however, as a database programmer I see this as a false sense of security for the User. The website could send you a link to change your password but there’s no guarantee the website does NOT store your password in plain text. If they DO store it in plain text, more often than not they will send you the actual password. Unfortunately, the website might want you to think their database is secure (when it is not) so they’ll send you a reset password link.
Agreed.
Thanks both for that info. So, I am okay with knowing who not to trust if they send me my password in an email, but is there any way I would be able to find out if a password is hashed on the ones who send me to the website to change the password?
There’s no way to know.
“It is typically not possible for a password to be recovered from a hash.”
“typically” is the key word. In the case of Rainbow Tables, a set of hashes is created from all possible password character combinations up to a certain number of characters by hackers. Your password hash is looked up in that table and if it’s found, it returns your password. This can be mitigated in two ways:
On the website’s side, they can add “salt” to the hash, which is adding their own unique string of characters to your password to make it longer and stronger. A good salted hash adds a different string for each user. It also works to keep out hackers who have your password from another breach as the real password on that site is your password plus their salt password.
On the users’ side, the user can use a longer password which is too long for the Rainbow Tables as Rainbow Table would be to large if they included every possible generated password. Now a days, 14 to 20 characters is recommended, and as disk storage is getting larger and computers are getting more powerful, the possible number of characters in Rainbow Table catalogued passwords is growing larger too.
Can you tell me how I do a hash password as opposed to a normal one. I’m not all that tech savvy. Regards Kathy
It’s not something you do. It’s how the service stores your password.
Many sites that I visit and which require a password, from my perspective, provide no risk to my security when I use a simple and common password. The benefit of demanding a password, as I see it, is to the company owning the web site. However, with sensitive info on registered sites, such as banks and Government web sites, I use sophisticated passwords. In other words, my use of a simple password on a non-sensitive site that gets compromised cannot do me any harm. Am I being naive?
Why make such an exception? There is no benefit to it and it calls for having to make an arbitrarily subjective decision as to which site is sensitive or not. Being victimized by identity theft is not generally a matter of a one time massive hack and not because someone discovered one of your passwords. Identity theft is often a matter of collecting bits and pieces of information, with one leading to another, until your full identity can be duplicated. When you start making arbitrary exceptions you create security weaknesses.
I won’t say naive, but I will say that most people seriously underestimate the security risks even so-called “low risk” sites have. Exactly how that is varies, but in general it’s safest to treat ALL sites as requiring appropriate & strong security.
Adding to the existing replies, I will say that doing this is even more dangerous if you re-use a password from one site to the next. If site A is hacked and your password is “simple and common”, then the hacker can likely recover it even if it’s hashed. Then, he can try your email and password at well-known site B, and hack two accounts of yours instead of one.
You might think site B is not that important, but you might be mistaken. The hacker can also combine this information with data you yourself made public on social networks. Unimportant personal data + unimportant personal data might mean sensitive and compromising personal data.
AskLeo.com is my go-to source for safe computing practices but there are other prudent steps to reduce the threat of data or identity theft: Several years ago, after the huge Equifax data breach, I decided to take preemptive action and “lock” all three of my credit bureau reports. That almost eliminates the possibility of anyone using my personal info to take out a loan, open an account, etc., in my name. Any one of those can be temporarily unlocked for a short period (or even for a particular business), whenever there’s a legitimate need for my credit bureau file to be accessed. Since then I’ve also stopped using any debit cards, as they lack the customer safeguards that all credit cards have under Federal law. (Your liability for credit card fraud is essentially zero…only the issuing bank gets hit.) Of course email and phone scams will never end (earlier today a scam msg said I’d won $3.5M), so we must constantly be on guard. Technology is wonderful…except when it’s not.
Agreed Engineer.
There is a fourth credit reporting agency you might be interested in – Innovis
They are not part of the annualcreditreport deal, but reports can be ordered annually and a block can be put on it.
Everything we can do helps.
Because of a breach, I now have a free subscription to McAfee’s report. It’s comprehensive, but in many cases, not that useful. For example, I got an alert on Sep 13 of one of my E-mail addresses on the dark web. It doesn’t list a website, and says password not found. So not really sure what I can do with this.