Another day, another breach. How to protect yourself.
When I originally wrote this in January of 2019, there had been a breach (referred to as the “Collection #1 breach“) apparently containing something like three-quarters of a billion email addresses and plain-text passwords. It was newsworthy because it was huge and contained passwords for anyone to see.
It was also quite frustrating for reasons I’ll outline in a moment.
Naturally, the question I (still) get most is this: what should you and I do?
The same thing we do every breach, my friend; the same thing we do every breach.
Become a Patron of Ask Leo! and go ad-free!
If you're in a breach
In most cases, there’s little you can do in response to a specific breach, other than perhaps changing related passwords if you know the services involved. Use every breach you hear about as an opportunity to review your account security to ensure it’s as tight as you can make it.
Once more unto the breach, dear friends
Breaches happen often enough that it’s hard to take them seriously. A more likely reaction is “Oh, another one”, with little attention paid to the specifics. The Collection #1 breach is worthy of a closer look for a variety of reasons.
It’s huge. The original report cited 773 million email addresses, and I’ve seen subsequent headlines quoting a billion and a half or more.1 It may be the biggest breach to date.
It has email addresses. This is not new, and is what makes most breaches noteworthy. You want to know if your email address was exposed. With at least 773 million records in this one, the odds are high.
It has plain text passwords. This is the most devastating. Most breaches contain “hashed” passwords — meaning the passwords are obscured to the point of being unable to be recovered. In this breach, the passwords are there for anyone to see.
It’s an example of what’s possible. Even years later, it’s a great example of exactly what can go wrong.
What we don’t know
What’s exceptionally frustrating about this breach, however, is what we don’t know.
We don’t know where it came from. We don’t know what service or services were compromised or what accounts all those email addresses represent.
If you find your email address is part of this breach (haveibeenpwned will tell you; more on that below), what then? What concrete action can you take?
Regarding this specific breach, the answer is absolutely nothing.
Every breach is a reminder
Every breach should remind us of the importance of account security. It remains our responsibility. Even when taking the best steps to stay secure, stuff like this still happens.
Here’s what you can and should do for this and any breach.
- Use haveibeenpwned.com to see if your email address is part of the breach. Consider signing up for notifications in the future. (If you own a domain — like I own askleo.com — you can also get notification of breaches for any email address on that domain.)
- Change your password if the breach involves a specific service you use.
- Get and use a password manager to make using long, strong, and unique passwords significantly easier. I use and recommend LastPass, but any of the major equivalents will do.
- Stop using the same password on more than one site. Seriously, stop it. I can’t underscore enough how important this is. Hackers try the email address password combinations they find on one service against many others. Given how many people are lazy and re-use passwords, they’re often successful in breaking in. Using a password manager makes using unique passwords significantly easier.
- Create long, strong passwords. Use 12 characters at a minimum; I currently use 20. I don’t care if you use completely random characters (as I do by default), or long phrases of unrelated words (as I do for accounts where I need to remember and type the password). Length is most important, but make them complex while you’re at it. Again, using a password manager makes this easy.
- Add two-factor authentication to your account if it’s available. Yes, yes, I know it’s not perfect. But it’s still an order of magnitude better than not having it enabled at all.
If you’re comfortable doing so, run passwords you’re worried about being breached through Pwned Passwords. I realize not everyone is OK with giving their password to a third party like that. I trust them, but you don’t have to.
It’s simple, really: if you have any concern about a password being compromised, then change it! Change it to something long and strong and unique.
The best and often only thing you can do is use every breach as a reminder to make sure your account security is as good as you can make it.
If you’re so inclined, also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, reminders, and tips in your inbox every week.
Footnotes & References
1: Per the initial announcement, there were 772,904,991 email addresses, but 1,160,253,228 unique combinations of email addresses and passwords in a total of 2,692,818,238 records.