How To Check If Your Account Passwords Have Been Leaked Online

Douglas has worked for almost six years as a senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating to cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

It seems that hardly a week goes by without another shocking data breach that affects millions of ordinary internet users making the headlines. But what is a data breach, how can one affect you, how do you know if your data has been breached, and what can you do if it has? 

A data breach is any unintentional release of secure or private data. This can include classified information belonging to the military, sensitive information relating to corporate assets. The term is most widely used, however, to describe the unintentional release of data that jeopardizes the privacy and security of ordinary members of the public. 

Most commonly, this is in the form of customer databases leaked in some way by private companies, although the danger governments leaking even more sensitive healthcare information and the like is very real. 

The information exposed by data breaches often include things like customers’ names, email addresses, usernames, passwords, postal addresses, order history, and even bank payment details.

Data breaches can be accidental, can result from the actions of internal staff members (for example whistleblowers or disgruntled employees), or from the actions of external hackers.

Most such hackers are simple criminals, although motives may also include political activism or simple bravado by the kids keen to build a reputation within the hacker community. Regardless of motive, once the information is within the public domain it is almost certain to be exploited by criminals. 

In hacker speak, to pwn something is to own it. The ‘;–have I been pwned? the tool below will help you find out if private details belonging to you are available on the internet by searching a wide range of leaked databases to see if any of them contain your email address. 

Are data breaches on the rise?

It’s not just your imagination, data breaches are indeed on the rise. And not only are they becoming increasingly common, but the scale (number of people affected) and scope (sensitivity of the information leaked) of the beeches has been getting steadily worse.

It is estimated that in 2019 some four and a half thousand records are lost or stolen every minute, adding up to over 6 million records every day! Between 2017 and 2019 there was an 88 percent increase in the number of people affected by health data breaches.

The total number of data breaches in the United States rose 44.4 percent between 2016 and 2017, although this dropped to 13 percent in 2018. These figures belie the scale of the problem, though, as the total number of records exposed between 2016 and 2018 is rose 1117 percent to a staggering 446.5 million!

Which companies have had data breaches?

It could almost be asked which companies haven’t had data breaches! What follows, however, is a list of the world’s biggest data breaches over the last few years.

Who

When How big Severity Type of data Encrypted?
Yahoo 2013-14 3 billion (!!!) users Moderate Emails, passwords, phone numbers. But  Most (but not all) details were hashed using strong bcrypt algorithm).
Marriott International 2014 500 million customers Severe Contact info, passport numbers, credit card details, travel plans.  No.
Adult Friend Finder 2016 412.2 million users Very high Names, email addresses, passwords.  Hashed using weak SHA1 algorithm. Within 1 month 99% had been cracked.
eBay 2014 145 million users High Names, addresses, dates of birth, passwords. Passwords were hashed using a proprietary measure. it is not known how strong these are. 
Equifax 2017 143 million US consumers. Severe Social Security Numbers, birth dates, addresses, driver license numbers. 209,000 unlucky consumers also had their credit card data exposed. No.
Heartland Payment Systems 2008 134 million credit cards Severe Credit card details No.
Target Stores 2013 Up to 110 million people Severe Names, addresses, emails, telephone numbers, credit card details No.
Uber 2016 57 million users + 600,000 drivers Moderate Names, email addresses, and mobile phone numbers No.
JP Morgan Chase 2014 76 million households and 7 million small businesses Moderate Names, addresses, phone numbers, and emails. No.

Will I be notified if my data is breached?

Between 2013 and 2014 Yahoo was the victim of the largest data breach ever recorded, but it did not make this information public until September 2016. Marriot, in 2013 victim of the second largest data breach ever recorded, waited until November 2018 before alerting its customers to the danger. 

This despite the fact that since 2002 all 50 states in the United States have passed data breach notification laws (although the last of these were only passed in 2016). In Europe, the 2016 General Data Protection Regulation (GDPR) mandates that companies report personal data breaches that “pose a risk to the rights and freedoms of natural living persons” to their supervisory authority. For example, the Information Commissioner’s Office (ICO) in the UK.

What history shows us is that faced with huge financial loss and damage to reputation, companies simply cannot be trusted to notify the public in a timely manner if their data was breached. Regardless of any laws requiring them to do so.

Have I been pwned

Use the ‘;–have I been pwned? a tool to scan a huge and continuously updated list of breached databases to discover if your email address has been involved in a (known) breach. 

The tool will tell you which databases your email address appears in, together with a brief history of the breach and a summary of the kind of information which was leaked and is now in the public domain. Try it!

Yikes! I’ve been pwned! What now?

Don’t Panic! Unless the beach is new, then it is unlikely you are in any immediate danger. If the beach is new and involves payment details then check your bank statements immediately.

Even if you find no suspicious activity, it is worth contacting your bank to alert it of the situation. In all likelihood, it will take precautionary measures such as reissuing your card. But even if doesn’t, you are then in a much stronger position to demand redress should money start to mysteriously disappear from your account. 

Regardless of the severity or time that has elapsed since the breach, you should immediately change your password (if the account is still active) and ensure that you have not reused that password across different websites. Indeed, re-use of passwords is arguably the single greatest danger posed by most data breaches.

In 2011, for example, Sony suffered a series of data breaches that resulted in far more than the 77 million customer accounts exposed from a single PlayStation breach that year becoming public.  In 2012, Yahoo Voice was hacked for 453,491 email addresses and passwords.

The analysis revealed that 59 percent of people whose password was exposed by the Sony hack was still using the exact same password on Yahoo a whole year later.  A further 2 percent had only changed the case. 

How to minimize the impact

How companies, social media platforms, and government organizations store and protect the data we give them to perform the service they provide is in large part out of our hands.  Despite overwhelming evidence that such organizations simply cannot be trusted to keep our sensitive data safe, we have no option but to trust them with it, anyway. C’est la vie.

We can, however, ensure that passwords obtained from a data breach cannot be used to access our other accounts.

Use a password manager

For every website and online service you use, you should create a strong password which is unique to that site or service. Note that 123456, the name of your pet, or of your favorite football team a are not a strong password. A genuinely strong password consists of a long string of random alphanumeric characters with mixed caps and (preferably) symbols. 

Of course, us poor humans often struggle to remember even one such secure password, let alone one for each website and online service we use! It is therefore luckily that computers can do the heavy lifting for us!

Password manager apps generate secure and unique passwords and then conveniently autofill them into website logins when required. They also sync across devices so they are always available when you need them. 

Here at ProPrivacy, we favor open source password managers such as KeePass and BitWarden, but any halfway decent password manager is lightyears ahead of not using one at all.

Two-factor authentication

One-factor authentication is something you know i.e. your login details, which can be compromised by a data breach. Two-factor authentication (2FA) uses an additional something you have to verify your identity. 

At present this second something is usually your smartphone. A verification code is typically sent to your phone via SMS messaging, or you verify a login via an authenticator app (often using biometric authentication such as a fingerprint).  

Enabling 2FA on your accounts makes accessing them without your permission all but impossible unless, in addition to your account details, a hacker also has physical access to your phone. 

LastPass Hacked, Change Your Master Password Now

LastPass Hacked, Change Your Master Password Now

Bad news first, folks. LastPass, our favorite password manager (and yours) has been hacked. It’s time to change your master password. The good news is, the passwords you have saved for other sites should be safe.

LastPass has announced on their company blog that they detected an intrusion to their servers. While encrypted user data (read: your stored passwords for other sites) was not stolen, the intruders did take LastPass account email addresses, password reminders, server per user salts, and authentication hashes. The latter is what’s used to tell LastPass that you have permission to access your account.

According to LastPass, the authentication hashes should be sufficiently encrypted to prevent anyone from using them to access your account. However, the company is still prompting all users to update their master password that they use to log in to their LastPass account. If you use LastPass, you should do this immediately. If you share that master password with any other services, you should change it there, too. Finally, if you haven’t enabled two-factor authentication you should do that immediately here.

We’ve talked about what happens if LastPass gets hacked before. As it stands, it doesn’t seem that this hack resulted in any significant data losses for users. However, it’s still important to take steps necessary to protect your account as soon as you can.

Note: It sounds like LastPass’ servers are getting hammered right now, so if your password change doesn’t go through, check back frequently through the day until it does.

LastPass Security Notice | LastPass Hacked