I just heard about a security breach that has exposed something like a couple of million accounts across several servers.
I have accounts on those services. How concerned should I be? Have I been hacked? What do I need to do next?
That’s a composite of several questions that I’ve received relating to a recent theft of something like two million user accounts and passwords.
I’ll address this specific incident, but I also want to discuss some things to consider with any large scale account theft.
Become a Patron of Ask Leo! and go ad-free!
Has my account been compromised?
With the current situation, accounts used to access several different services are involved. Reports are that some (although not all) of those services are informing account holders that their accounts were compromised. Some have even reset account passwords, forcing users to change their passwords on next login, or go through account recovery steps to prove that they are the rightful account holders.
Services that do this are doing exactly the right thing, in my opinion. It’s a hassle for the account holders involved, but it’s significantly less of a hassle than having your account stolen away from you.
If you use one of those services, you’ll already know because they would have reached out to you.
Unfortunately, not all services are taking this approach. To be fair, not all services may even be able to determine exactly who has and has not been affected.
The magnitude of this breach
Two million seems like a very large number.
It’s not. Not really.
Especially when you consider that it’s across multiple providers. Google accounts that were compromised account for only 70,000, or perhaps less than one one-hundredth of a percent of what could be upwards of 800 million Google and Google-related accounts1. (Facebook apparently had the honors for most accounts affected in this breach: 318,000.)
So the chances of it being your account are actually pretty small.
Or is it? As it turns out, that depends on you.
How the breach happened
This particular incident was the result of a large distributed network of keyloggers.
In other words, machines were infected with malware that logged the keystrokes of whomever used the machine. If that machine was used to login to Gmail, Yahoo!, Facebook, or any other “interesting” online account, the malware would capture the login credentials (including the password typed in) and send it on to the central server controlling the botnet.
If your machine was infected, then yes, your accounts could have been part of the breach.
If you used an infected machine (such as that of a friend or a public computer that was infected), then yes, your accounts could have been part of the breach.
What you should do
If there’s any question in your mind at all, change your password.
In fact, whenever there’s a question about whether or not your account has been hacked, the safest thing to do is simply assume that it has been and act accordingly. Email Hacked? 7 Things You Need to Do NOW has a great action plan.
However, I also don’t see this particular scenario as a call to panic.
If you’ve been behaving safely on the internet, you’ve been keeping your machine secure and up-to-date, and you haven’t logged in to your accounts from unsecure locations or on machines that you don’t have complete control over, then I have a hard time saying you need to do anything. It’s just not likely that you’ve been affected.
At least not this time.
Next time? Well, about that…
Consider additional security
I use something called two-factor or multi-factor authentication for my Google and other accounts that support it.
When I login to Google from an untrusted machine (or after having cleared cookies on my home machine), I need to enter a code that is displayed on an app on my smartphone. It’s not enough to know the password. I have to prove that I have that smartphone – the “second factor” – in my possession before I can sign in.
Even if there were a keylogger installed on the machine, the information captured would be useless. The code changes randomly every 30 seconds in such as way that the next code can never be predicted. The hackers might have my login ID and password, but they still can’t login. Not without also having my phone in their possession (and even that is locked with yet another security code by default).
Two-factor authentication can be slightly cumbersome to set up, but it’s actually very easy to use. I strongly recommend that you at least consider it as an additional security measure for those services that offer it.
I also recently recorded this video commentary on the topic: