In what security experts are calling the largest data breach ever, a whopping 16 billion passwords have been breached leaving billions of users across the internet vulnerable to identity theft, account takeovers, and targeted cyberattacks.
The breach, as uncovered and reported by cybersecurity researchers at Cybernews, consists of leaked credentials from nearly every major online service for users worldwide – including Apple, Google, Facebook, GitHub, Telegram, and even government portals.
And as the scope and seriousness of this breach become clearer, the question on everyone’s mind is – what you need to do now to protect your online identity?
The Scale of the Breach: Unprecedented and Unrelenting
This breach is larger than a sensational headline; it is a tipping point for digital security. Security researchers have identified 30 unique datasets (with tens of millions to over 3.5 billion locations) carrying an almost incomprehensible total of 16 billion exposed login credentials.
This data includes usernames and passwords, and frequently includes additional information such as cookies and tokens via infostealer malware that plants itself undetected on devices, and collects sensitive information about the device (including login credentials).
Unlike previous breaches that leveraged old data, this exposure is new, and more importantly, weaponizable intelligence. This makes it particularly problematic for people and organizations alike.
The impacted services include so-called superstars of digital life including; Apple, Google, Facebook, Instagram, GitHub, Telegram, VPN providers, to US government services.
The size alone means that even if you are careful about your online acts, the odds are very likely that one of your accounts has been compromised.
Why this breach is different—and more dangerous
This is not just a leak, it is a plan for widespread exploitation. Cybercriminals now have a staggering mass of credentials to use to launch phishing campaigns, execute ransomware attacks, conduct business email compromise (BEC) scams, and steal identities.
Furthermore, with recent logs also included, along with tokens and cookies, there is an even greater risk of organizations being impacted by infostealer malware if they do not have multi-factor authentication (MFA) or are poor at credential hygiene, even organizations with good security controls in place.
The researchers pointed out that new huge datasets continue to appear with alarming regularity—capture your credentials, the threats posed by infostealer continues to be real and extensive.
Protecting Your Identity Online: What You Need to Do Now
Following this unprecedented breach, doing the following will give you noticeable savings immediately. Although there are many things you should do to protect your online identity, here are the most significant items you should and/or ought to do:
- Change Your Passwords Right Now: Start with your most sensitive accounts—email, banking, social media, and work. Use unique, strong passwords for each account, lastpass or another reputable password manager will create a unique password for you.
- Use Multi-Factor Authentication: MFA provides an extra level of security that prevents cybercriminals from accessing your account, even with a password. Whenever possible utilize MFA, and try to use an authenticator app, an SMS code, or a hardware key.
- Check to See if You Were Breached: Use services such as “Have I Been Pwned” to check and see if your email address or passwords have been stolen in public breaches. If your credentials were compromised, change them immediately.
- Monitor Your Individual Accounts for Suspicious Activity: Look for unauthorized logins or activity and logins/transactions on your accounts. Many platforms allow you to set alerts for suspicious activity—set these alerts or notifications and respond quickly when you get a notice.
- Don’t Reuse Passwords: Don’t reuse passwords across accounts. Password reuse presents one of the biggest vulnerabilities when a breach occurs.
- Be Wary of Phishing: Watch out for unsolicited emails, messages, or calls requesting personal information or asking you to click on links. Cybercriminals will take advantage of this breach to launch a targeted phishing campaign.
An Appeal to Everyone and All Organizations
The reality of 16 billion passwords being compromised should serve as a wakeup call to anyone who uses the internet. Individuals have to be more responsible for their digital security, however organizations need to review their security practices, implement MFA, and educate their employees about the dangers of reusing credentials and phishing.
Governments and technology companies alike need to do more to fight infostealer malware and protect their users.
The compromise of 16 billion passwords is a paradigm shift that poses dire consequences. By taking proactive measures—changing passwords, using MFA, monitoring accounts, staying vigilant—you can significantly decrease your risk and help protect your online identities.
Today’s growing internet threats are developing faster than many people are aware or are capable of handling. Staying educated and vigilant is more important than ever.
What you can do now to bolster your online identities could mean the difference between security and disaster.
