IdentityForce LogoIdentityForce Logo
Protect What Matters Most.
People with Stolen Passwords
Posted on May 18, 2017 by in Data Breach & Technology, Personal

At IdentityForce, we try to let you know whenever we hear about major data breaches of any kind, and that includes when your favorite websites are hacked or compromised in some way. We’ve encouraged you to visit the website “Have I Been Pwned” to search your email address and see if any of your online accounts have gotten caught up in highly publicized data breaches—and to change your passwords right away if your discover anything.

But have you?

If not, and you know one or more of your online accounts have been compromised in a breach, you may want to change your passwords right now. Kromtech Security Research Center has discovered a dataset of more than 560 million login credentials that have been exposed by a leaky database. The insecure device was found during a routine security audit; as of right now, it’s still active and unprotected by a password.

The database appears to have about 243.6 million unique email addresses. Where did they come from, though? Troy Hunt of Have I Been Pwned reviewed a sample set of 10,000 and 98 percent were already marked as compromised on his website.

“That’s astronomically higher than what I’d see after loading a typical breach (usually 50 to 60 percent,” Hunt told Gizmodo.

Most of the accounts had been affected during previous data breaches at LinkedIn, MySpace, Adobe, Tumblr, DropBox, and other big sites. It seems like the owner of the database—who is being referred to as “Eddie” after a user profile was discovered—didn’t necessarily breach any systems or hack into companies to obtain these account credentials. More likely, he has amassed this enormous database over time by simply collecting credentials that other hackers have stolen and posted online.

Though this isn’t a new breach, this incident is an excellent reminder. If your account is compromised in a website breach, and you do not change your password, the problem doesn’t just go away when the company says that they’ve “identified and contained the security flaw/problem.” A cyber criminal may not use your login credentials as soon as they are leaked—they might wait weeks, months, or even years—but they can certainly grab them ASAP and hold onto them for future use.

You have no idea how much of your personal information could be floating around the Web right now without your consent, so be smart: change your passwords and consider using a password manager moving forward.