The risks of unintended exposure, and the steps to take next.
It seems we hear about a data breach at one company or another every week.
Eventually, one of those breaches will contain your data. What do you do?
As with almost everything: it depends.
Become a Patron of Ask Leo! and go ad-free!
If You're Breached
- If your email address is in a breach, all you should do is remain vigilant for phishing attempts on that address.
- If your password is in a breach, especially if the passwords are not described as hashed, stop using that password anywhere and change all accounts previously using it to strong, unique passwords.
- Remember that the information collected across multiple breaches can facilitate identity theft and sophisticated phishing attempts. Always remain on guard.
What is a data breach?
A data breach happens when a company, small or large, accidentally allows some or all of its data to be accessed by someone who’s not supposed to see it. That someone makes a copy of that data, generally for malicious purposes.
The value is in the data — exactly what was accessed and copied?
The risk is also in the data — and how we respond depends on exactly what was accessed and copied.
We’ll look at the two specific pieces of data we care about the most: email addresses and passwords.
Email addresses in data breaches
Perhaps the single most common piece of information discovered in the widest variety of data breaches is your email address. The reason is simple: it’s your email address these companies use to communicate with you, and it’s often used when you sign in to an online service. Quite often, recovery or alternate email addresses are also included in a breach.
What should you do if your email address is in a breach?
Email addresses, while “private”, are almost a form of public information about you. We use them in so many different places that, even if we’re careful, it’s simply not reasonable to assume that our email address will remain forever secret. The mere fact that we all eventually get spam tells us that email addresses are almost guaranteed to fall into the hands of people we’d prefer didn’t have them.
The reality is that it will happen and has probably already happened. Discovering your email address in a data breach is little more than it having happened again — with one important exception I’ll discuss below.
Passwords in data breaches
There are two distinct scenarios that you need to watch for when you hear of a data breach, and the difference boils down to one word: hash.
If a data breach is described as containing “hashed” passwords, then your password has not necessarily been exposed. Hashes are the technique services use to store information about your password without actually storing the password itself (if they are doing security properly). It is typically not possible for a password to be recovered from a hash.
If a data breach is described as containing passwords without mention of the word hash, then if your information is in that breach, it’s likely your password has been exposed. This means you should:
- Change your password at that service immediately.
- Never use that password anywhere else again.
- If you had been using that password anywhere else, change all of those as well, making sure to choose a different password for each service.
Now, I had to get a little vague about “services doing security properly”, as well as it being “typically” not possible to recover a password from a hash.
It’s possible to implement hashes improperly, and some poorly constructed hashes can be reverse-engineered into their originating passwords, particularly if the passwords are short.1 Unfortunately, we don’t know who does password security well.
The upshot? It’s safest to change your password if you hear of a breach that includes password information, hashed or not.
Everything else in data breaches
Data breaches often contain much more than just email addresses and passwords. They’ve been known to contain names, physical addresses, phone numbers, tax identification numbers, licensing information, and much, much more. Exactly what each contains varies from breach to breach.
There are two things that can happen with all this information:
- Identity theft. Depending on the amount of data collected — possibly across multiple breaches — it may be possible for hackers to gather enough information about you to be able to set up accounts in your name, run up huge bills, and leave you holding the bag. Take advantage of any identity-theft protection offered by the breached party, if they make it available, and consider setting it up yourself if they don’t.
- Phishing. One of the most common ways that breached information is used — especially your email address, as I alluded to above — is to craft highly targeted and legitimate-looking phishing emails. If, through the data harvested in one or more breaches, the hackers determine that you have account #123 at Some Random Bank using your email firstname.lastname@example.org, then you’re very likely to get official-looking emails claiming to be from Some Random Bank that are not. Even if the messages include your account number, it’s very possible they could be fake.
Honestly, the only true solution for you and I is to remain skeptical and ever vigilant. Watch those emails for possible scams and phishing attempts. Keep an eye on your credit report and credit cards for suspicious activity, and report it as such the moment you see it.
Breaches for services you’ve never used
Your question mentioned that the breach was for a service you’ve never used or signed into, or perhaps even heard of.
This happens more often than you’d think, for a variety of reasons. The two most common:
- The breach happened at a parent company, or subsidiary, of a company you use.
- The breach happened at a company providing services to a company you use.
There may be other scenarios as well.
The important message here, though, is don’t discount breaches claiming your involvement, even if it’s a company you’ve never heard of. Read the details available, and you may find that you were indirectly involved and need to take action as described above.
One of the best ways to stay on top of new breaches is to subscribe to a service called Have I Been Pwned. Enter your email address, and the service will check to see if it appears in any previous breaches (chances are it will) and generate a report. Then it will email you a notification if your email address appears in any future breach. It’s generally more timely than waiting for some company to admit it’s been breached and notify its customers.
Another tool from the same source is Pwned Passwords. This site will tell you if a password you enter has ever appeared in a breach. If it has, you should stop using that password immediately. Yes, this does mean you’re entering your password into a third-party site or service. In the same way that services don’t store passwords, neither does Pwned Passwords. Ultimately, you need to trust them to use the service. I definitely do.
Footnotes & References
1: Rainbow tables contain hashes and corresponding passwords for all possible passwords up to a certain length, as well as all discovered passwords of any length. Just another reason it’s important to use a long password and a different password for every site.