Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Can a Data Breach Expose Multiple Accounts?

Direct and indirect risks to your accounts.

Data breaches rarely expose multiple accounts. There are rare scenarios where multiple accounts might still be at risk, though.

Security Breach!

Question: I’ve been in a data breach, and I have multiple accounts on my phone. Can they get my data from the other accounts or do they just get my information out of the account that’s been in the data breach?

Normally, it's just the one account.

However, there are scenarios where more might be at risk.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Data breaches exposing multiple accounts?

It's rare that a data breach includes more than one account. A breached account rarely impacts the security of your other accounts unless it happens to be the sign-in account or recovery account for other services. Regardless, if your account is involved in a breach, change its password just in case.

Breach does not mean access

Let's clear something up first: just because your account was involved in a breach doesn't mean your account has been compromised.

Most breaches leak data, it's true, but that data rarely allows hackers into your account. It simply exposes things like your email address and maybe some other data, but not enough to gain access. Even when you hear the phrase "hashed passwords" being included in the breach, that generally does not mean hackers have your password.

However.

I've used words like rarely and generally above because sometimes when security isn't done properly, hackers can use information in a breach to gain direct access to your account. It's rare these days, but still possible.

Worse, we generally don't know exactly what the ramifications of a breach are until long after it's passed.

Hence, the common advice is to change your password and add two-factor authentication to further secure your account, just in case.

Accounts on a device don't relate

You said you have multiple accounts on the phone. That really has nothing to do with how at-risk the other accounts might be.

That they're on your phone is generally irrelevant. If one account is part of a breach, even if the account is actually hacked, the other accounts on your phone are usually unaffected.

Of course, if your phone is itself hacked, then everything on the phone is at risk. Hacks are extremely rare while you're in possession of your phone. If you lose your phone or it inexplicably stops working, contact your mobile provider right away.

The slightly risky scenario

There is one scenario where the risks are somewhat higher, but a number of things have to happen.

  1. One of your accounts is involved in a data breach. (This is common.)
  2. That breach exposes your password or enough other information for a hacker to actually hack into your account. (This is rare.)
  3. That account is the sign-in, "alternate email", or backup account for one or more of your other accounts. (This is common if the breached account is an email account.)
  4. Hackers realize #3. (Neither rare nor common, although it happens on occasion.)

In this scenario, the hackers can now reset the passwords on the linked accounts and hack into those as well.

As I said, it's not common, as a number of things have to line up. It's not something I worry about when one of my email accounts is involved in a breach.

And it has nothing to do with what's on your phone.

One breach, multiple accounts

To be complete, there's one data-breach scenario I've never heard of happening that could put multiple accounts at risk.

That's if the breached service included information about multiple accounts of yours. Password vaults come to mind.

But re-read what I just said: I've never heard of it happening. Reputable password vaults do security right. Even if they were breached (which, I'll say yet again, has not to my knowledge happened for any of the major players) the data any hackers would get would be useless, encrypted blobs of random data.

Do this

If you're notified that an account of yours is involved in a breach, change the password. You might not technically need to, but it's an easy and simple way to minimize any impact.

As for your other accounts, treat them as you would all your accounts:

  • Strong password.
  • Different password for every account.
  • Two-factor authentication for those accounts that support it.

Something else you can do? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

7 comments on “Can a Data Breach Expose Multiple Accounts?”

  1. You mentioned using a different password for all accounts. That’s critical, so I’m repeating it here.

    If you don’t do this, and hackers get your email-password combination from a breach, they can try that email-password combination on other accounts to see if they can get in.

    Reply
  2. I take data security seriously, and I consider any data breach that includes any of my accounts to be a threat, so I proactively take measures to mitigate the threat, so it does not become a disaster.

    I use LastPass as my password vault/off-premises storage service (the paid version) because it provides a Security Dashboard, which informs me if a password (duplicate, weak, etc.), or if one of my email accounts (Dark Web Monitoring) are at risk. I also have the HaveIBeenPwned website notify me if any of my email addresses are included in a data breach. I use Microsoft Authenticator for 2FA on all my accounts that support it to improve account security. I also keep my account profiles as minimalistic/generic as possible to reduce the chances of Identity Theft, etc.

    These measures are not perfect (there are no guarantees), but they do mitigate the possibility that any one account will affect others, or that any account will be hacked as a result of a data breach. If I receive notification that any of my accounts are included in a data breach, I immediately change the affected account’s password. If the account includes recovery options/questions, I change them too.

    These are some of the measures I use to keep my accounts secure,

    Ernie

    Reply
  3. If I’m feeling paranoid, a possibility to worry about is an apparently-legitimate password vault being purchased sneakily by a scammer operator.

    Haven’t heard of this yet, but similar things have happened. One of the big security companies (Kapersky) is based in Russia, which is now (al al Adolf Hitler) starting wars in Europe. The Ublock Origin creator had to split off from the name Ublock when it was taken over by advertising companies, just like Adblock. And I had to replace CrapCleaner (CCleaner) when it was purchased and went over to the dark side.

    So check out any Password Vault company before using it.

    Reply
  4. Got a text message :
    Unusual Activity
    : We’ve locked your Amazon account due to unusual activity.

    New Login from :
    Mozilla Firefox 8.7
    [ 134.210.247.92 – Russia ]

    Our system has locked your Amazon account for security reasons.

    To unlock your Amazon account, please verify your identity below:
    https://{suspicious domain removed}/link/62ec0819e7239400160765f9/62ec07fec03d7d001dc835c5/62ec07eb316b48001c631e48?signature=9914fff38c28a734939ec6ad3c3f038680fa15f715f609593c985923dadb61fe

    If you do not verify your identity before 24 hours, your Amazon account
    will be terminated.

    Sincerely,
    Amazon Team

    The s in the https:// concerned me. Called Amazon. They had not sent out the above message. I though the “s” meant secure?

    Reply
    • This is a phishing attempt. DO NOT click the link. I’ve removed the domain and replaced it with “{suspicious domain removed}”.

      https only confirms that {suspicious domain removed} is indeed {suspicious domain removed}. It has nothing to do with whether it’s actually who the message body claims.

      Reply
      • Definitely a phishing scam. It’s good you went to Amazon directly and didn’t click on the link. The https: means the connection is secure, but that https: was put there by the scammers. It probably doesn’t really go to an https: site.

        Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.