Skip to main content

Spooky Insight: Your Passwords May Already Be Public

skeleton key

Every year we see national headlines about big corporate data breaches: "Target Data Breach Spilled Info On As Many As 70 Million Customers", "Under Armour says data breach affected about 150 million MyFitnessPal accounts", "Yahoo Says Hackers Stole Data on 500 Million Users in 2014".

Interesting, right? You might not think so. What if the headline read something more like, "Your email and password are being shared by basement-dwellers and terrorists on the internet right now"? Now that's a slightly more interesting story.

What I'm about to show you should be terrifying — it should change the way you protect yourself in the digital world. This is the story of what I found when I checked to see if any of my friend's accounts had been compromised in a data breach.

Have I Been Pwned?

You might imagine that you'd need to visit a shady back-door cafe under the freeway to browse the secrets of the internet. Fear not, you can embark on this journey from the comfort of your living room sofa! That was my exact location as I explained to my friend Jason that we could search for his email address online and see if his passwords were available. "Do you want to see how deep the rabbit hole goes?" I asked Jason in my best Morpheus impression (it's a scene from the Matrix).

gulp
Jason's response as he realized I wasn't bluffing.

I opened a laptop and visited haveibeenpwned.com, a project which lets you search for your email address and see which attacks you've fallen victim to in the past. Go ahead, try it right now. I'll wait.

When I typed Jason's email address into the search bar, we received an exclamation, "Oh no! You've been pwned!" Further analysis revealed that his credentials had been involved in 16 breaches and found in 10 pastes (publically available documents).

"Have I been Pwned" search results

 

Scrolling down the page reveals a summary of data breaches which have leaked his information in the past. A textbook rental service, housing design website, and a live auction house were just a few of the sites which had been storing his information when they were compromised.

"Man, I totally forgot about that website. Hackers stole my information from these accounts? Where is it now?," Jason asked.

ATLfalcons

At the very bottom of the results page was a list of "pastes." A "paste" is when information that's been stolen is published to a public website. Some of the pastes had obscure filenames like "xn--e1alhsoq4c.xn--p1ai" and a column with the number of emails pasted showed that this file contained over 4 million emails.

"Wait, is my information is in that file?," Jason said in disbelief.

We opened the file, hosted on a Russian website, and searched the page in our browser for his email address. This was a large file, so it took some time. Email addresses and their passwords were listed in a single column. Weak passwords like "bernie06", "experts", and "paperplanes" were common. The odds are very good that these people use these passwords for all of their social, professional, and banking accounts.

The browser finally spit out the search result, "1 Result. jason1983@mailaol.com:ATLfalcons" and Jason spit out his beer. Shocked, Jason yelled, "I've used that password for everything since college!"

How to Harden Your Personal Cybersecurity

If you're like Jason and find that your passwords are lying bare for the entire Internet to see, you need to spend some time getting your house in order.

First, you need to stop using the same password for every account. Personally, I recommend using a password management service like LastPass that generates random passwords for you and stores them for use later.

Secondly, you need to log in to all of your existing accounts and change their passwords, ensuring that they're all different and exceed the minimum password requirements.

Thirdly, and this is an extra-but-invaluable security precaution, we recommend enabling "2-factor authentication" for any of your accounts that allow it. Enabling this means that a hacker cannot access your account without also being able to access your smartphone or email account.

Employees Are Susceptible Too

If you scrutinize the passwords found in the pastes, you'll see that many of the email addresses belong to employees of companies. What is your company doing to protect employees and customers from cybersecurity threats? 

Contact our team at Omni Strategic Technologies for a discussion about ways to assist you and your employees be more resilient, prepared, and aware of their role in being cyber secure. Cybersecurity is everyone's responsibility!

Keep Reading