Using very complex and robust passwords may not be enough to protect access to your accounts on the internet.
The majority of passwords and email accounts are recovered following direct attacks on websites and online services that we frequently use, despite the latter retaining their passwords in encrypted and protected form. Stolen passwords, or rather, accounts in the form of email + passwords are then sold by hackers in the "deep web" or published on the forums as a downloadable database on simple .txt files.
For this reason we often hear about "breach" or "leak" of password database or entire lists of email addresses containing millions of people's accounts who are often completely unaware that their passwords have suddenly become public or semi-public.
We will see how to verify if one of our passwords has been stolen and if the security of one of our accounts has been violated with attacks of the type described above. We will provide you with universal and always valid advice to protect passwords and accounts and what to do if we find out that a password has been violated.
In this article: Check if an account has been hacked Preventing Password Attacks | What to do if a password has been stolen Most popular incidents updated to 2019
How to check if an account has been stolen
We could easily recover a database of accounts ourselves (always email and password) via torrent or browse the forums or the deep web and then manually check whether our password is present "in plain text" (as plain text). In reality there is a much simpler and faster method that will avoid us downloading gigabytes of text files just to look for our username including password.
haveibeenpwned.com the web service that comes to our aid and that collects all known and public password database leaks and offers the possibility, once an email address has been entered, to quickly understand if the account has been compromised.
Simple use: on the website, we insert the email (used as username) in the "email address" field that we want to check and click on the "pwned?" Button.
If the result presented is colored red, means that our account and password have been stolen and we were indirectly (since the attack was not addressed directly to us) victims of a "data breach".
A result of color green instead it indicates that our email is not present in any database obtained from an attack on a vulnerable site.
The site distinguishes between "breach" and "pastes". The difference between the two is the following:
It means that passwords and accounts were actually stolen online and exposed by a system that had poor security mechanisms and was attacked (see below to find out which are the most famous compromised services and websites of 2019). Getting these passwords means downloading a database from torrents or other distribution channels.
It means that sensitive information that even interests us is present in public form on those services that share text online (such as pastebin.com) and therefore in fact available to all without any effort; just search for it on google or have direct links to the text file with the passwords available online.
It is important to understand that even if the result of the password verification completely in green, it is absolutely not true that our account has not been stolen or that it is not available in another "private" form. Whathaveibeenpwned.comoffers, only a service based on public data, while a hacker or a group, may decide to keep this information private and resell it or use it for other illegal purposes.
In addition to this, you should also know that the site absolutely does not show the password in the clear but only informs us of the fact that it is present or not in some public db.
Read on to understand how we can prevent attacks to our passwords and what to do if we find that we have been the victim of an indirect attack.
Prevent attacks on passwords or accounts
We cannot know how secure a site is or how secure the online services we use or have used in the past attest. However, there are simple rules that can limit damage or totally prevent an attacker from discovering a password.
- We use strong passwordsThe basic rule is to use passwords that are not too simple or derived from personal information: date of birth, name, surname, favorite movie or similar things. We should try to use procedurally generated random passwords as much as possible (see following points) and verify the security of our passwords.
- We activate two-pass authenticationThe best way to protect an account is to use another authentication mechanism in addition to the classic one consisting of username (email) and password: two-step authentication (2FA). This involves using an external verification element (such as an SMS on the mobile phone) to log in even after entering the email and the related password. In this way, even if someone manages to get all the sensitive information, it is highly unlikely that he will have the possibility to have access to our mobile phone too. It is the safest system nowadays and not a coincidence that online banks and credit card transition systems make it mandatory (although for some it represents a tedious procedure). Read the discussion dedicated to two-factor authentication: Two-factor authentication: what it is and how it works The famous services compatible with this type of access are: Google, Facebook, Twitter, Yahoo, eBay, Amazon, Outlook and many others.
- Different passwords for each site or online serviceAnother basic rule often ignored and underestimated by pi. The fact that a site has been compromised and our password stolen may not mean anything if it is a service that we have not used for years; the problem that the same username + password combination is often the same as the one used for other, more important sites! We must not risk that following an attack, all the accounts in our possession will also be compromised because (due to laziness) we have used the same password everywhere. In this case the password managers of the next point come to our aid.
- Choose a good password managerTo help us in the task of generating a fairly complex password and at the same time remembering different passwords, password management systems help us; the safest and most famous are 1Password (highly recommended) and LastPass. Treating these programs (also available as browser extensions) would require an in-depth article and in its own right but know that they allow us to receive notifications after a "data breach" (accident) has been made public and advise us to take action when our password is found stolen and available "publicly".
On the subject of password and security, rivers of words could be spent; in principle, in addition to the advice given above, it is always preferable to use a good antivirus and protect your connection via VPN: both are systems to prevent "direct" attacks on our machines rather than "indirect" attacks (of which we have widely talked about in this article).
What to do if an account has been stolen
Discovered that one of our passwords or the combination of username and password has been stolen and made publicly available, we can take some precautions. Obviously we have to notice the time of the compromise, which is why the are recommended notifications password managers (see point 4 of the previous paragraph). Let's see some suggestions on the actions to take:
- We change passwordsIt is the first thing to do: having ascertained that site X has suffered an attack revealing our credentials, we must immediately change the password. Many sites after making a my fault, will warn us of attacks themselves and force us to reset the password. It is often useful to also change the login (usually the email), if the site in question allows it. Read how to change Gmail password or change password on Facebook for two of the most important sites.
- Let's check if the email and password combination has already been usedAfter discovering that site X has inadvertently released users and passwords, we must check that they have not been used on other sites. An attacker could take advantage of the information Site-compromised to attack Another-site trying the same combination of credentials. See also what is written in point 3 of the previous paragraph. We therefore change the password also used on other websites or online services.
- We avoid panic if we cannot access the stolen accountIf we notice that our account with a password has been stolen, we must not panic if we are no longer able to log in. It is possible that the site itself voluntarily blocks access to a hacked account and requests a verification on the email address to restore it. It also happens that someone managed to log in and change their password; if we have the email we can always generate a new password by reset.
What are the most famous data breaches updated to 2019
Let's see what are the attacks on passwords completed so far (December 2019). We inform you that in addition to more or less famous sites and apps, real ones are also distributed database password. These databases are used and collected by hackers in the form of gigabyte collections of files for download.
To date, they are almost 7 billion accounts packed with stolen passwords. The latest attack involved 16 websites (source) in November 2018:
Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), Animoto (25 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), Fotolog (16 million), 500px (15 million), Armor Games (11 million), BookMate (8 million), CoffeeMeetsBagel (6 million), Artsy (1 million), and DataCamp (over 700,000).
Attacks on famous web services that have suffered accidents and exposed passwords:
In November 2018, the Italian Society of Authors and Publishers suffered an attack in which 4GB of data were stolen. The passwords and accounts are around 14,000 (nothing significant in comparison to the other websites but they involve us directly as Italians).
A bad blow in 2016 for the social network dedicated to work which led to 164 million emails exposed with plaintext passwords. In this case, the compromise was made public after several years.
It dates back to 2008 about one of the most imposing attacks that involved the social network of music now practically abandoned after the advent of Facebook. 360 are the millions of passwords stolen and sold on the "black market" and then made public (in 2016).
Comment system used on WordPress and many sites. It is a theft of email addresses, passwords and usernames (about 17.5 million) that came to know after 5 years.
- DropboxThe well-known cloud system was attacked in 2012 and only in 2016 were users advised to change their passwords. Fortunately, two-step authentication is available today.
Little used blogging platform in our country; the attack led to 65 million accounts with compromised passwords.
- vBulletinPHP software to manage online forums. In the past it was widely used and in 2015 she was the victim of a very serious accident which, in addition to passwords, exposed personal information, identity on social networks and IP addresses.
Huge database of encrypted passwords (153 million) with username and email addresses. In 2013 the giant suffered an important attack due to poor security protections.
Streaming video sharing platform that exposed more than 85 million user accounts with email and password in 2016.
Online image sharing community that suffered an attack in 2013 that came to light only years later (in 2017).
Russian social network, also used by us for more or less lawful purposes; in 2012 it suffered an attack that led to the public exposure of around 100 million accounts.