As I write this, there’s been a breach (referred to as the “Collection #1 breach“) that apparently contains something like three-quarters of a billion email addresses and plain-text passwords. It’s newsworthy because it’s huge and contains passwords for anyone to see.
It’s also quite frustrating, for reasons I’ll outline in a moment.
Naturally, the question I’m getting most is simply this: what should you and I do?
The same thing we do every breach, my friend; the same thing we do every breach.
Become a Patron of Ask Leo! and go ad-free!
Once more unto the breach, dear friends
Breaches happen often enough these days that it’s getting hard to take them seriously. A more likely reaction is “oh, another one”, with little attention paid to the specifics. As I said, “Collection #1” is worthy of a closer look for a variety of reasons:
It’s huge. The original report cites 773 million email addresses, and I’ve seen subsequent headlines quoting a billion and a half or more1. That may be the biggest breach to date.
It has email addresses. This is not new, and in fact is what makes most breaches worthy of your awareness. You’ll want to know if your email address is present. With 773 million records in this one, the odds are high.
It has plain text passwords. This is the most devastating. Most breaches contain what are referred to as “hashed” passwords — meaning that the passwords are obscured, possibly to the point of being unable to be recovered, if the hash algorithm was well chosen. In this breach, the passwords are there for anyone to see.
What we don’t know
What’s exceptionally frustrating about this breach, however, is what we don’t know.
We don’t know where it came from. We don’t know what service or services were compromised, or what accounts all those email addresses represent.
So if you find that your email address is part of this breach (haveibeenpwned will tell you, more on that below) … what then? What concrete action can you take?
With respect to this specific breach, the answer is: absolutely nothing.
And yet, we can and should do the same thing we do with every breach.
Every breach is a reminder
Every breach should remind us that account security is important, that it remains our responsibility, and that even when taking the best steps to stay secure, stuff like this can still happen.
Here’s what you can and should do for this and any breach:
- Use haveibeenpwned.com to determine if your email address is part of the breach. Consider signing up for notifications in the future. (If you own a domain — like I own askleo.com — you can also get notification of breaches for any address on that domain.)
- Change your password if the breach does involve a specific service that you use.
- Get and use a password manager to make using long, strong, and unique passwords significantly easier. I happen to use and recommend LastPass, but any of the major equivalents will do.
- Stop using the same password on more than one site. Seriously, stop it! I can’t underscore enough how important this is. Hackers do try the email address password combinations they find on one service against many others. Given how many people are lazy and re-using passwords, they’re often successful at breaking in. Using a password manager makes using unique passwords significantly easier.
- Create long, strong passwords. Use 12 characters at a minimum; I currently use 20. I don’t care if you use completely random characters (as I do by default), or long phrases of unrelated words (as I do for a couple of accounts where I often have to remember and type the password). Length is most important, but make them complex while you’re at it. Again, using a password manager makes this easy.
- Add two-factor authentication to your account if it’s available. Yes, yes, I know it’s not perfect. But it’s still an order of magnitude better than not having it enabled at all.
If you’re comfortable doing so, consider running passwords you’re concerned about having been breached through Pwned Passwords. I realize not everyone is OK with giving their password to a third party like that. I trust them, but you don’t have to. It’s simple, really: if you have any concern about a password being compromised, then change it! Change it to something long and strong and unique.
Every breach, every time
That’s the best (and sometimes only) thing you can do: use every breach as a reminder to make sure your personal account security is as good as you can make it.