42 million usernames and passwords found in files on freehoster
Have you ever wondered were all the personalized phishing mails come from? Or where cybercriminals might know your name, username, and password from? While most of it comes from data breaches (and there are a lot of them) and are sold on the Darknet, some criminal entities apparently like to share the valuable information with everyone.
755 files, 1.8GB of data
According to Troy Hunt from troyhunt.com a huge file dump with lots of data was found on the free, public, anonymous hosting service Kayo.moe. They files contain information like email addresses, clear-text passwords, partial credit card data, Spotify details, and different logs.
If you are thinking that there was an enormous data breach somewhere, hold your horses. Apparently the files were not stored in a unified file format and even the Spotify details don’t mean that the music streaming service was hacked. All in all everything indicates that this is just a very huge collection of user data from different sources, conveniently packed for some cybercriminals to be used in their next endeavors.
Dangerous for everyone
Now a lot of people might wonder who is at risk and why breaches – or even only data collections like this one – are dangerous. The reason: Password re-usage. A lot of people are lazy and reuse their passwords for several accounts. This is basically exactly what cybercriminals are hoping for. They will just try and enter the username/password combination at a lot of different well known services in order to break into the accounts and wreak havoc.
Was my account in the mix?
42 million records is a lot. Not all of them are new though: According to troyhunt.com 93% of the data in the files were already in databases like the one of the Identity Scanner and similar services. Nonetheless you should make sure that your user information is not among them. To do so:
- Visit the Identity Scanner page
- Enter your email-address
- Confirm you’re a real human be checking the check box and click on “Scan now for evidence of identity theft”
If you see the message “Your personal data has been compromised” you should take action immediately.
Change your passwords – NOW!
Your password was in a recent (or not so recent) data breach? Then you should change it immediately by following the below security tips:
- Use a unique password for each of your accounts. When a website gets hacked one of the first things bad guys do is checking out if your username/email address/password combination works on other (high-profile) pages.
- Your password should consist of at least twelve characters – the more the better. It should include upper- and lower-cases, numbers, and special characters.
- Try and create passwords that can’t be found in a dictionary. Hackers nowadays have programs that cycle through dictionaries to check if they can access your account.
- Don’t use character strings like 12345, abcde, qweertyui, etc.
- Use passwords that can’t be associated with you: Your dog’s name, birthday dates of family members or yourself or your favorite sport are a not a good idea.
- Change your password regularly – especially when it comes to your email and online banking/online payment accounts.
- Don’t write down your passwords and never ever share them.
If you have trouble coming up with a good, strong, and complex enough password you can always use a good Password Manager to help you out.
This article is also available in: German