Have you been asked to create a login on a site somewhere on the internet, with a username and password?
Of course you have; everyone has, thinking the supplied login credentials would be kept safe.
Hundreds of websites have had their databases plundered. If you know where to look, it's easy to find and download anywhere up to 2.1 billion user credentials. Some you must buy from shady sites, others are free, dumped on the internet, and many credentials work on multiple sites because people reuse passwords.
The huge amount of hacks has led to sites popping up that collect data leaked in breaches, and which provide early access to media for stories.
They may seem like a good public service at first, places you can use to check if your particular set of credentials have been leaked.
Admins can look at the data and work out if their sites have been breached and alert users, too.
However, when the operators go to great lengths to keep themselves anonymous, hide their sites behind reverse proxies such as Cloudflare and have commercial motives, you start to wonder who they're actually helping.
Some sites even attempt to "crack" or decode encrypted passwords in the data dumps. That crosses the line in my opinion, and marks the point where law enforcement should ask the site operators why they're not only storing large amounts of credentials, but making them easier to abuse by decrypting passwords.
Don't forget that those leaked credentials can, and have, been used to disclose sensitive personal information, commit identity theft and create financial havoc for people.
Data leaks hurt people and we must take them seriously.
My usual go-to person when it comes to these massive leaks is Australian Troy Hunt who runs haveibeenpwned.com where you can check if your logins have been leaked.
There are additional security measures such as two-factor authentication where you have to input a further code sent to you.
SHARE THIS QUOTE:
He is not anonymous. I have met him in person, and Hunt doesn't sell access to the data.
Hunt doesn't even store passwords, encrypted or not, because he recognises the risk in doing so. This means the only thing attackers (or government agencies) would get from his site is the usernames or email addresses used to register an account.
Even that can be sensitive information, if your username can be traced back to you, which in many cases is easy as people use their first and last names for emails. Sensitive breaches, like the 30 million-plus Ashley Madison and almost 41m Fling infidelity site accounts are not publicly searchable.
Haveibeenpwned.com provides a valuable service, and a frightening picture of how data breaches have got out of hand.
The alternatives to haveibeenpwned.com seem to be unaccountable businesses and I wouldn't want an unapproachable government department without the necessary geek skills to understand IT security to run a breach verification site either.
It's bad, and we're stuck with it.
The data breach situation is a mess, but can anything be done about it?
Not much, unfortunately. Even though it's been amply demonstrated that few, if any, systems are secure and that storing logins with user credentials on them are risky, there is no practical replacement for these.
There are additional security measures such as two-factor authentication where you have to input a further code sent to you, ideally via another network and on a different device than the one you're logging in with.
These, Hunt says, amount to "wallpapering over the cracks" but it's the best we have at the moment.
Never reuse passwords, make them complex, and try to use a unique email address for each account if it's feasible.
One big problem is the large number of abandoned or single-use accounts out there on the internet. It's difficult for users to keep track of the myriad of accounts they've created, and to remember the username and passwords for them.
Site operators can help here by making logins optional, and actively deleting unused accounts. You should delete unused accounts too, if you remember them (password managers can be helpful with this).
Be vigilant and keep an eye out for news of data breaches. That's really lame advice, and I'm sad to say it's the best I can provide at the moment.