FBI reveals 630 million stolen passwords.
getty
Just when you thought things couldn’t get any worse in terms of cybersecurity bad news this week, the FBI has revealed a staggering database of 630 million compromised passwords from multiple devices seized from a hacker. Here’s what to know and how to check if your passwords are on the danger list.
ForbesMicrosoft Worm Attack Warning — Act Rapidly And Change Passwords NowBy Davey WinderFBI Finds 630 Million Stolen Passwords On Seized Hackers’ Devices
Troy Hunt, the creator of the ingenious Have I Been Pwned and Pwned Passwords services, has confirmed that the Federal Bureau of Investigation has handed over a staggering list of 630 million compromised passwords to add to the HIBP database of 17 billion compromised accounts. The FBI has been sending Hunt compromised passwords for four years, as uncovered during the course of cybercrime investigations, but what’s concerning and almost unbelievable in equal measure is that the latest haul is from a single hacker.
“This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect,” Hunt said, adding that ”the sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day.” To which I can only say, indeed it is.
It seems that the hacked passwords have come from open and dark web marketplaces, Telegram channels and, inevitably, infostealer attacks.
All of which means, of course, that not all of the 630 million credentials handed over to Hunt are going to be fresh to market, as it were. And, indeed, that appears to be the case following an initial HIBP team analysis: “We hadn’t seen about 7.4% of them in HIBP before,” Hunt confirmed, “which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block.”
ForbesLastPass Data Breach — Insufficient Security Exposed 1.6 Million UsersBy Davey WinderFBI Stolen Credentials Handover: How To Check If Your Passwords Are On The List
The good news is that all of the stolen credentials, all those compromised passwords, are now searchable from a single location, which leaves you a second or two away from discovering if any of yours are included.
Head to the Pwned Passwords service, and enter your password. Don’t worry, it’s perfectly safe and won’t put your passwords in any danger, just the opposite in fact. “No password is stored next to any personally identifiable data such as an email address,” Hunt said, “and every password is SHA-1 hashed.”
Most importantly, do it now so you can change any passwords that are already compromised before your accounts fall victim to credential-stuffing attacks. I would also recommend that you use a password manager, despite some having suffered breaches, as it is safer than reusing a handful of easily remembered ones. Oh, and enable passkeys on any accounts that support them. Then there’s the small matter of activating two-factor authentication on all your accounts as well. Stay safe, even when the FBI finds the next big stolen password haul. It’s only a matter of time.
ForbesHas Your Gmail Password Been Hacked? Check Now, Here’s HowBy Davey Winder