Cybersecurity Alert! Your Email Address and Password Are Probably Exposed

Sorry folks, but we’ve got bad cybersecurity news: it’s highly likely that your email addresses and passwords were exposed in what experts are calling “the largest breach to become public.” (Wired)

Luckily, the Interplay team is here to show you how to figure out if your data has been compromised – and, if it has, we’ll help you fix the problem too. Let’s get to it.

The Largest Breach – Here’s What Happened

In January 2019, cybersecurity expert Troy Hunt announced that he had been tipped off to one of the largest public collections of leaked data ever found. In its raw form, the massive, 87+ GB dataset contained more than 2.6 billion rows of email addresses and passwords. After Mr. Hunt cleaned up the data, it held:

  • Nearly 773 million unique email addresses (maybe yours)
  • Around 21 million unique passwords (also, maybe yours)
  • Over 1.1 billion unique combinations of email addresses and passwords

The data set, called “Collection #1” after its nomenclature on the internet, was stored on a popular cloud storage site (MEGA) before it was found and taken down. Then it was made available on a public hacking site.

Here’s the kicker: the breached data wasn’t even for sale. It was simply available to anyone who wanted it – completely for free.

How Was the Data Used?

While we can’t be sure how the breached data was used, it is clear that cybercriminals probably intended to (or possibly did) use the data for credential-stuffing attacks.

In a credential-stuffing attack, criminals typically use automation to throw email address/password combinations at a site to see if any of them grant access. It’s kind of like a trial-and-error method for breaking into online accounts.

Again, though, we can’t be sure any of the data was used… but with the astronomical number of email addresses and passwords uncovered in this trove, the odds are increased that one of your current or former email addresses and passwords was made available to cybercriminals. For free.

Ready to see if your data was breached? Head over to Have I Been Pwned and enter in your email address and common passwords to see if you’ve been hit. Have I Been Pwned is a fantastic cybersecurity resource named after a geek-speak term (to techies, “pwned” means “owned”). The site is run by Troy Hunt, the cybersecurity expert we mentioned earlier.

If you find that your data’s been breached, or you’re worried about future breaches, head back here to find out the fix for stolen passwords.

What to Do If Your Data Was Compromised

If you discovered that a current or former email or password was breached in the massive attack, you need to take 3 steps:

  1. Don’t Panic.

The fix is really important, but pretty darn easy to accomplish.

  1. Change Your Passwords.

Did you notice that the data breach contained nearly 36 times more email addresses (773 million) than passwords (21 million)? That tells us that a lot of people are still using the same password for multiple internet accounts. If that sounds familiar, it’s time to change that habit. All your new passwords should be 100% unique and should be strange combinations of numbers, letters, and symbols for maximum security. Use two-factor authentication whenever possible.

  1. Get a Password Manager.

Not sure how you’re going to remember all those new, weird passwords? Try a password manager. They’re simple to use, can exponentially increase your online security, and they often have free basic packages that provide the same rock-solid security as a premium version, but for only a small number of passwords (like, 50). We recommend Dashlane and LastPass, but there are lots of great ones out there. Once you’ve got your new passwords into your password manager, you’ll wonder how you got along without one for so long.

What to Do If You Want to Avoid Future Hacks

Whether or not you were a victim of this latest cybersecurity breach, it’s a good idea to tighten up your business’s security policies to prevent future attacks. Our recommendations for improving your online security and avoiding cyberattack will sound familiar… but you’d be surprised how few businesses have the time to keep up with these best cybersecurity practices.

  • Apply software updates and patches immediately on all devices, all the time
  • Use a firewall
  • Avoid public WiFi (and if you must use it, choose a VPN so you can mask your online activity)
  • Backup your computers and networks regularly and test your backups to make sure they work
  • Use virus protection on all your devices
  • Deploy a mobile device management strategy to wipe stolen or lost devices

Sound like a lot to keep up with? It is. That’s why many small business owners now rely on outsourced IT departments, called Managed Services Providers (MSPs), to take care of all the boring IT maintenance and administration work that effective cybersecurity requires.

Plus, when you work with an MSP, you’ll have someone else to turn to who can check your email addresses and passwords, isolate vulnerabilities, and deliver a report that helps you fix issues with ease.


In the Seattle area? Learn about your options for tailored cybersecurity services for your small business when you contact Interplay, one of Seattle’s leading MSPs.