Giant password leak: is your data among the 16 billion records exposed?
The largest ever collection of stolen login credentials has seen the light of day. Among those affected may be users of Google, Apple, Facebook and many other popular services. How is this possible when passwords should be encrypted?
A new cybersecurity alert has rocked the Internet: more than 16 billion passwords have been found in a huge database available on forums used by cybercriminals. The file - dubbed “Mother of All Breaches” (MOAB) - is not from a single attack, but is a compilation of data collected from many previous leaks.
Among the information are combinations of email addresses and passwords for such popular sites as Google, Facebook, Apple, Netflix, LinkedIn, Twitter and many others. What's most disturbing is that a large portion of these passwords have been revealed in unencrypted form, i.e. in so-called clear text. How is this even possible?
After all, should passwords be secure?
In theory, yes. Web services should store user passwords in encrypted form or, better yet, as encoded hashes (hashes). In practice, however, implementation of these solutions often fails.
Theft before encryption The infostealer malware can capture passwords directly from the browser or operating system - before they are encrypted and saved.
Programming Errors Sometimes even large companies (like Facebook or GitHub) make mistakes that result in passwords being stored in server logs in clear text. All it takes is a vulnerability in the system and cybercriminals can seize this data.
Leakage from unsecured sites Many leaks come from small online stores, forums or sites that either store passwords in plaintext or use outdated encryption methods (e.g. MD5, SHA-1) that can be easily cracked.
The negligence of the offenders themselves Paradoxically, cybercriminals themselves often store stolen data on unsecured servers. Such databases later end up in public repositories or are available for download without any security.
What does this mean for the ordinary user?
If you use the same passwords in multiple places, you are at risk. The attack, called credential stuffing, involves automatically testing stolen username and password combinations on different sites - until you find one that works.
In practice, this means that if you used the same username and password combination for, say, an old forum in 2016, someone can try to log into your Gmail, Amazon or bank account with them today.
How to protect yourself?
Some key principles:
- Use strong, unique passwords for each service.
- Use a password manager, such as Bitwarden, 1Password or KeePass - don't try to memorize everything.
- Enable two-factor authentication (2FA) where possible.
- Check if your data has been leaked at haveibeenpwned.com.
- Change your password immediately if you use it in multiple places and it has appeared in any of the databases.
A global problem that is growing
The scale of this leak is unprecedented. What was once scattered in the dark recesses of the Internet is now available in one place - ready for mass exploitation.
The conclusion? It's not enough to trust that “big companies have everything under control.” **Your security starts with you. Because on the Internet, a weak password is like leaving your key under the doormat - and posting it on Facebook.
Did your password leak? Don't wait until you find out in the worst possible way. Change them, secure yourself and take care of your digital life.
