Over the weekend, it was reported that 16 billion passwords were exposed in – by far – the largest breach in history. According to researchers at Cybernews, none of the exposed datasets were reported previously, except the one reported in late May that 184 million passwords connected to accounts from Microsoft, Google, Facebook, Instagram, Roblox and other organizations were shared on the dark web. That report by cybersecurity researchers said login credentials for financial accounts, health platforms and numerous other accounts were also exposed.
How to protect yourself from these data leaks?
While it’s not yet possible to know if you’ve been directly impacted by the bad actors who have accessed these databases, here are a few steps to take today to limit the potential damage:
Change your passwords
Start with account passwords which may have been impacted in this data leak like, Instagram, Facebook, Google or Roblox. From there you can update other passwords to sensitive accounts you haven’t updated within the past year. Your new passwords should be unique from other accounts. This stops a cybercriminal from being able to take over several of your accounts by using the same exposed credentials – which is called, credential stuffing. Remember,, when it comes to managing passwords, longer is stronger.
Use a password manager
The average person has well over 100 passwords, so when you’re creating unique passwords, it’s tough to remember them all. A password manager can store them and even come up with strong passwords for you. Additionally, with many paid subscriptions to password managers, they will alert you when your credentials are found on the dark web. So, you’ll know exactly which passwords need to be changed.
Use multi-factor authentication (MFA)
This extra step can help stop a cybercriminal, even if they happen to have your password. Here’s how it works: After you put in your password, you need another thing (or factor) to make sure it’s really you trying to get in. This is often a code sent to your phone, a fingerprint scan, facial recognition, or even a security question only you know the answer to. See how to set up MFA on the accounts impacted by this data breach.
Watch for MFA Bombing attacks
If you have set up multifactor authentication, “MFA bombing” attacks are a cybercriminal’s way to get around it. The attacker will continue to try to login to your account – knowing you’re receiving notifications – hoping you’ll accidentally accept it or get fed up with the notifications and finally agree to the notification to make it stop. If you’re receiving MFA notifications that you didn’t initiate, change your account password immediately, as it likely means an attacker has your account credentials.
Be alert for phishing attacks
Cybercriminals use stolen data to target the victims via phishing attacks. These can occur over phone, text, email and even direct messages on social media. Do not click on any suspicious links, download files, scan QR codes from unknown sources, or fall for a blackmail scam that uses these stolen passwords.
Limit what you share
Sophisticated cybercriminals are likely to combine the leaked data with other publicly available information to build profiles of potential victims. Most social media posts are public and contain pieces of personal information, such as the names of your kids, pets, or your favorite sports team, or your anniversary or birthday. With your password and a bit of information about you, impersonation scams might include an attacker posing as tech support, telling you that your computer has a virus, and they need remote access to your machine or money to falsely fix the problem. Or they might pose as someone from your bank, asking you for your MFA code for “authentication.” Be careful what you share on social media, and consider removing your information from the internet where possible.