Image: © AFP/File
The message being carried across the Internet is: “Change your passwords now!”
Several large collections of login and password details from Apple, Facebook, Google, GitHub, Telegram, and other popular platforms and government services have surfaced online. Together they constitute one of the largest leaked datasets in the history of the internet, totalling around 16 billion exposed login credentials.
According to researchers at Cybernews who have been investigating these datasets and leaks, the data most likely originates from various infostealers, credential stuffing sets, and repackaged leaks. But there is no way to check how much data is truly unique. The datasets differ widely by size, geography, and language. For example, one of the biggest sets, containing around 3.5 billion records, seems to be related to the Portuguese-speaking population.
Ignas Valancius, head of engineering at cybersecurity company NordPass, tells Digital Journal readers to be careful:
“Users must be extra careful because information in the leaked datasets opens the door to pretty much any online service, from Facebook and Google to GitHub and Telegram. Even some government platforms were compromised.”
In terms of what to do, Valancius states: “I recommend changing passwords immediately before the threat actors start poking around in your accounts. You need to act fast because platforms like Google, Apple, or Facebook are the gateways to your entire digital life, especially if you store passwords in browsers and don’t use multi-factor authentication (MFA) or passkeys.”
This is because of this essential risk: “If hackers manage to get their hands on your password for Google, Apple, or Facebook, stealing your money and identity may be easier than taking candy from a three-year-old.”
Valancius cautions that real cases will be reported: “And I am sure that such cases will occur. The problem is – people reuse passwords. As many as 62% of Americans, 60% of Brits, and 50% of Germans admit doing so across multiple online accounts, our survey shows. People who do reuse passwords should immediately change all of their passwords, not only those that were leaked.”
However, there are tests that can be run: “To check if your or your company’s credentials have been leaked, you can use our online free Dark web monitoring tool or our password manager with its built-in authenticator and credential and credit card monitoring tools.”
There is something else to watch out for, cautions Valancius: “I would like to draw your attention to one more thing. After major data leaks, social engineering attacks tend to intensify, at least for a while. Breaches like this will probably expose a lot of people to social engineering attacks. So we all should be a bit more suspicious for some time.”
Furthermore, says Valancius: “Be wary of unsolicited emails and messages, even if they seemingly are from Google, your bank, or even the police. If you receive such messages, be extremely careful because links can lead to pages that are designed to steal even more of your data. If you are not sure about the email or a message, it is better not to click on the link.”
To maintain safety: “Go directly to that company, organization, or agency’s website, log in there (or contact it directly via phone), and check if the message is real. Do not click on any links and do not reveal your data to unknown people calling you.”
Valancius also advises: “And don’t get scared. Keep calm. Cybercriminals prey on confusion and ignorance. They try to scare people, hoping that victims will act on emotion. Don’t do that. Do not click on links that try to scare you or promise you riches.”
In terms of other remediations, Valancius advises: “I also recommend turning on multi-factor authentication. Anything – additional confirmation via email or phone, physical security keys, or biometric confirmation – is better than a password alone. And in cases like this, when passwords from digital gatekeepers leak, MFA could be your saving grace.
“Use passkeys wherever possible. Most future-forward websites allow logging in with passkeys, a new and alternative method of online authentication. This technology is currently considered the most promising alternative to passwords and is greatly supported by most tech giants, including Apple, Microsoft, and Google.”
