1.1 Billion Logins Exposed in Huge Data Dump: What to Do

alceryes

Distinguished
Jun 11, 2004
29
0
18,610
Change all your passwords or start using a good password manager. Carry on with your day.

If you want, go to the 'Have I Been Pwned' website to check your email address/passwords. Although I know it's a 100% legit site, I only checked my email addresses. I just can't bring myself to typing my passwords in for anything but actually authenticating using that password. Irrational, I know, but that's me.

Use common sense with your passwords.
If you don't want to use a password manager or use a different password for each and every single login, at least create tiered passwords so that you're not using the same password for your email or bank accounts (highest security) as you do for forums and registration services that you'll almost never use and don't gather critical info about you (lowest security). Usually, 4 or so tiers of passwords are good enough, if used properly.

Remember the authentication/account verification chain.
NEVER use the same passwords for services that are used to verify your identity with other services. Email and bank accounts are two of the big ones here. Most banks will email you about suspicious activity and/or for verification. If your passwords are different between the account that is compromised (bank, for example) and the account used for verification (email, for example), that will stop a would-be thief in his or her tracks.

Don't use Post-It note (or ePost-It note) security
It's best not to write down your passwords, but if you must, keep it behind some heavy security, like FaceID or fingerprintID. Also, if you do have a password list somewhere, make it only part of the puzzle. For example, if you password for Tom's Hardware site is Password456 list the password as Pa***6 (or something like that). That way even if someone gets that far 'inta yo bidness' they STILL don't have your actual passwords. The starred-out password should be enough of a hint for you to know which password it is.
 

InfoSponge16

Commendable
Aug 5, 2016
4
0
1,510
Paul, informing people of this type of activity is a good thing to do.

Changing passwords and even emails is a good thing to do.

I became aware of the issue reading online.

Through the article, they included info advising to check on haveibeenpwned.<<phishers

Remember that that hackers use social engineering to get us to provide information, or phishing.

 

alceryes

Distinguished
Jun 11, 2004
29
0
18,610


Are you saying the haveibeenpwned website is actually a phishing site?
If yes, are you just guessing? Can you supply evidence to show this is the case?
 

Paul Wagenseil

Senior Editor
Apr 11, 2014
692
1
4,940
Have I Been Pwned is not a phishing site. The guy who runs it is a legitimate and well-known security researcher.

If you want to check your email address on Have I Been Pwned, that's on one page. If you want to check your password, that is on another page.

You will not be able enter both credentials on the same page, and that's by design. Have I Been Pwned does not want third parties to use the site to check the validity of email/password combinations.