Latest news with #HaveIBeenPwned
Mint
2 days ago
- Mint
16 billion passwords: How bad is the ‘world's largest data breach'?
New Delhi: On 19 June, a report by cybercrime and data breach reporting platform Cybernews said that a collection of 30 live databases was found with information stolen from individuals around the world—collecting what was claimed as 16 billion passwords and their corresponding credentials. The details reportedly belonged to users who had accounts on the most popular online services—Apple, Facebook, Google and others. Has the breach in question really put most users of the internet at risk? Perhaps not—Mint explains why. What really happened in the alleged data breach? Cybersecurity researchers that Mint spoke with said that the breaches in question were not strictly new or a single consolidated breach, as early reports had claimed. Instead, the new databases are more like master databases where breached information gathered over almost the past decade was put together by an unidentified group or entity. To put it simply, data breaches occur from either unsecured online databases that cyber criminals scrape to collect information, or as part of cyber attacks on large online platforms that lead to the leakage of sensitive information. The largest known data breach so far occurred in 2016, when cyber attackers breached the entire database of once-search and mail giant Yahoo—stealing over 3 billion passwords and related user credentials at one go. Also read: India's big AI test is here: Making sovereign language models work Four cybersecurity researchers that Mint spoke with said that the 'master' database with 16 billion passwords and other corresponding data—such as name, email addresses, dates of birth and other personally identifiable information (PII)—is likely a collection of multiple breaches, dating back to 2015. Is such a widespread data breach even possible? While no number of breaches is outside the realm of possibility, most researchers stated that a single breach exposing such a massive volume of sensitive information at one time is nearly unlikely. 'There are estimates of over 5.5 billion unique users on the internet. Given that any average individual would have at least two or three emails, plus accounts linked with around 10-15 online services—served by an average of around five unique passwords, an extrapolated hypothesis can be that a breach of 16 billion passwords would likely impact over 40% of all internet users globally. For this to happen in one single coordinated data breach would be akin to all of Europe, Asia and then some more being compromised at one go—which is nearly unthinkable even in today's cybersecurity climate," said an independent cybersecurity researcher who closely works with various government departments, requesting anonymity. Mint could not independently access the alleged database in question or verify whether the information is updated. However, a scroll through cyber breach tracker Have I Been Pwned by noted cyber security professional and Microsoft regional director for the US, Troy Hunt, signified that passwords that have been in use on Apple, Facebook and Google's platforms since at least 2018 have not surfaced online in the repository's list of breached passwords. Also read: Sovereign silicon: India targets indigenous 2nm, Nvidia-level GPU by 2030 To be sure, Have I Been Pwned is a public repository that regularly scrapes dark web databases for leaked passwords, such as the one mentioned here. What should users do in this regard? Cybersecurity experts stated that, irrespective of whether their passwords appear in breach trackers such as the one cited above, updating passwords once every six months is prudent. Heather Adkins, vice-president of security engineering at Google, said that as part of its global endeavours to ramp up cybersecurity, the company is in the process of collaborating with Apple, Microsoft and others in a global 'Fido Alliance'—which seeks to establish 'passkeys' as a standard for login. 'Passkeys reduce the dependency on passwords, and thus reduce how breaches occur by using the biometric authentication information that is stored on users' phones and laptops. The benefit here is that attackers cannot breach biometric information even if they want, since they require on-device authentication. Various emails and other logins are steadily shifting to passkeys in this regard," Adkins said. Sidharth Mutreja, cofounder and chief technology officer of homegrown enterprise security consultant Rockladder Technologies, added that a second step is to 'enable two-factor authentication." 'As a second layer of security, users should always either use one-time password-based additional verification or use authenticator apps to ensure that their accounts and personal information are not breached even if a password is compromised. Additionally, it's important to ensure that any caller or email sender is personally verified before they are responded to," he added. For now, though, each of the researchers agrees that no user is at 'immediate risk of losing access to all of their accounts"—even though initial reports projected widespread risk, unlike what was seen before. Can attackers still leverage the information? Unfortunately, yes. The presence of such databases means that attackers with deep pockets and ill intent can pay to access such databases and use the information for a wide range of tasks. These include actions such as 'spear phishing'—where attackers use available information about individuals to closely impersonate a potential acquaintance, and dupe them financially or otherwise. Also read: Eye in the sky: India to set up satellites to spy on satellites To be sure, such attacks have become common in India in the form of 'digital arrests' and originate from such databases. A single, coordinated database could thus be a crucial indirect resource for attackers, even if they do not immediately cause any direct harm to users. Will companies handle damages and fallouts, if any? Mutreja said that a coordinated database that collates all breached information under one umbrella 'could create significant liability for enterprises in terms of securing their own platform with database monitoring tools—and put the onus on consumers to instantly and continuously change their passwords." 'There's no one set law that dictates if a company should be liable for a public database—unless a breach in question directly correlates to a company specifically. In such a case, users can directly raise questions on whether companies should have better protected their data. In this case, though, this does not hold," he added. Apple, Facebook and Google—the three major service providers whose information was a part of the breach as per the original report—have not issued any statements or patches pertaining to a data breach of such stature.
Time of India
5 days ago
- Time of India
Amid password breach, how can you check if your data is leaked? Learn here
In one of the largest data breaches in recent history, a staggering 16 billion passwords have been leaked online, raising urgent concerns about digital security across the globe. The leak, believed to be a compilation of credentials from multiple past and ongoing breaches, is being dubbed the 'mother of all breaches' by cybersecurity experts . If you're worried your information might be part of the leak, you can check by entering your email ID at HaveIBeenPwned. This trusted site will show whether your credentials have been compromised in any known data breaches. What to do if your data is exposed? If your data has been exposed, change your passwords immediately. Make sure your new passwords are strong, unique, and not similar to ones you've used before. by Taboola by Taboola Sponsored Links Sponsored Links Promoted Links Promoted Links You May Like Cardiologists: 1 spoonful on an empty stomach slims the waist from XL to P (do it today)! Women's health Learn More Undo Also, avoid using the same password across multiple platforms. Using different passwords for different accounts adds an extra layer of security and can help limit the damage in case of future breaches.
Economic Times
5 days ago
- Economic Times
Amid password breach, how can you check if your data is leaked? Learn here
What to do if your data is exposed? In one of the largest data breaches in recent history, a staggering 16 billion passwords have been leaked online, raising urgent concerns about digital security across the globe. The leak, believed to be a compilation of credentials from multiple past and ongoing breaches, is being dubbed the 'mother of all breaches' by cybersecurity experts If you're worried your information might be part of the leak, you can check by entering your email ID at HaveIBeenPwned. This trusted site will show whether your credentials have been compromised in any known data your data has been exposed, change your passwords immediately. Make sure your new passwords are strong, unique, and not similar to ones you've used avoid using the same password across multiple platforms. Using different passwords for different accounts adds an extra layer of security and can help limit the damage in case of future breaches.
Business Insider
5 days ago
- Business Insider
A massive trove of 16 billion stolen passwords was discovered — here's what to do
Researchers say they've uncovered one of the largest data leaks in history that involves many popular platforms. The leak includes nearly 16 billion login credentials that could give cybercriminals access to social media and business platforms such as Apple, Gmail, Telegram, Facebook, GitHub, and more, researchers at Cybernews said this week. Bad actors now have "unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing," the researchers said. The number of exposed people or accounts is unknown. The researchers said the data likely comes from malicious software known as infostealers. "What's especially concerning is the structure and recency of these datasets — these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," the researchers said. Cybernews said researchers uncovered the leak when the datasets were exposed for a short period of time. It follows the May discovery of a database containing more than 184 million credentials, including Apple, Facebook, and Google logins, Wired earlier reported. If you're nervous that your logins are at risk, there are steps you can take to make your account safer. How to protect yourself You can't unring the bell of an information leak. However, you can take steps to identify if your credentials have been involved in any data breaches and protect yourself in the future. You can check sites like Have I Been Pwned to see if your email has appeared in a data breach. Turning on two-step authentication for your accounts can also help protect them from unauthorized access. Platforms also offer resources to help users secure their accounts. Google encourages users to use protections that don't require a password, like a passkey. It's one of the tech giants, along with Apple, Amazon, and Microsoft, that have been working to move users away from passwords to help secure their accounts. For those who prefer to stick with passwords, Google's password manager can store login credentials and notify users if they appear in a breach, a spokesperson told Business Insider. There's also Google's dark web report, a free tool that tracks whether personal information is floating around in online databases. GitHub, an online coding platform, offers developers a guide on how to implement safety measures in their organizations. The site recommends creating a security policy, having strict password guidelines, and requiring two-factor authorization. The data leak included logs — "often with tokens, cookies, and metadata," which makes it "particularly dangerous for organizations lacking multi-factor authentication or credential hygiene practices," the Cybernews team said. Meta offers a Privacy Checkup tool for users to review their privacy and security account settings. There, you can turn on two-factor authentication and ensure Meta alerts you of unusual logins. Meanwhile, Telegram said its primary login method sends a one-time password to users over SMS. "As a result, this is far less relevant for Telegram users compared to other platforms where the password is always the same," a Telegram spokesperson told BI about the data leak. Apple, GitHub, and Meta did immediately respond to a request for comment on the data leak. Google said it was directing users to some of the security resources above.
Int'l Business Times
5 days ago
- Int'l Business Times
Google Passwords Leaked: How to Check If Your Account Has Been Compromised
A team of cybersecurity experts has uncovered what appears to be the largest data breach in history, with billions of passwords and personal details reportedly leaked. The massive breach affects users of Google, Apple, Facebook, Telegram and GitHub, sparking global concerns about data security. If you're worried about your information being exposed, here's how to check if your Google account has been compromised, along with key tips to help protect your data from future threats. How to Check If Your Google Account Has Been Compromised According to Econotimes , Google has not officially confirmed whether its systems were directly affected by the breach. However, logs from infostealer malware indicate that login credentials linked to Google accounts have been compromised. To check if your account has been exposed, you can use the trusted online tool 'Have I Been Pwned' (HIBP). This website allows users to verify whether their email address or phone number has appeared in known data breaches by scanning a vast database of leaked credentials. HIBP has been active for over a decade and is widely trusted by cybersecurity experts, government agencies and businesses. It has supported cyber response efforts in the UK, Australia and other countries during major attacks on government domains. To use HIBP: Search for 'Have I Been Pwned' on Google or visit the official website. Enter your email address into the search bar. Click the 'pwned?' button to check your breach status. If the result says '0 data breaches', your account is likely safe. If a list of breaches appears, you should immediately change your Google password and secure any linked accounts. Tips to Protect Your Google Account Even if your account hasn't been compromised, taking proactive steps can reduce the risk of future exposure. Cybersecurity experts recommend the following: Use a trusted password manager to generate strong, unique passwords. to generate strong, unique passwords. Enable Google's two-factor authentication (2FA) for an extra layer of security. for an extra layer of security. Review and remove unknown devices linked to your Google account. linked to your Google account. Clear search history and cookies regularly. regularly. Monitor account activity using Google's 'Recent Security Events' feature. feature. Run a malware scan to check for infostealer software on your devices. In addition, regularly audit third-party app access and avoid reusing passwords across accounts. These simple steps can significantly lower the risk of falling victim to future data leaks. What We Know About the Massive Password Leak Cybernews researchers Aras Nazarovas and Bob Diachenko were the first to uncover the breach, which they began investigating earlier this year. Initial estimates indicated between 10 million and 3.5 billion compromised credentials. That figure has now grown to a staggering 16 billion records, covering accounts from social media, cloud platforms and developer portals. 'With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft and highly targeted phishing,' the researchers warned. They added: 'What's especially concerning is the structure and recency of these datasets — these aren't just old breaches being recycled. This is fresh, weaponisable intelligence at scale.' Originally published on IBTimes UK
