FBI reveals 630 million stolen passwords.
getty
Updated December 14 with password manager usage advice following reports of a LastPass data breach caused by security failures and a no password required attack confirmed by Google, alongside the original reporting of the 630 million passwords revealed by the FBI following device seizures from a single hacker.
Just when you thought things couldn’t get any worse in terms of cybersecurity bad news this week, the FBI has revealed a staggering database of 630 million compromised passwords from multiple devices seized from a hacker. Here’s what to know and how to check if your passwords are on the danger list.
ForbesMicrosoft Worm Attack Warning — Act Rapidly And Change Passwords NowBy Davey WinderFBI Finds 630 Million Stolen Passwords On Seized Hackers’ Devices
Troy Hunt, the creator of the ingenious Have I Been Pwned and Pwned Passwords services, has confirmed that the Federal Bureau of Investigation has handed over a staggering list of 630 million compromised passwords to add to the HIBP database of 17 billion compromised accounts. The FBI has been sending Hunt compromised passwords for four years, as uncovered during the course of cybercrime investigations, but what’s concerning and almost unbelievable in equal measure is that the latest haul is from a single hacker.
“This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect,” Hunt said, adding that ”the sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day.” To which I can only say, indeed it is.
It seems that the hacked passwords have come from open and dark web marketplaces, Telegram channels and, inevitably, infostealer attacks.
All of which means, of course, that not all of the 630 million credentials handed over to Hunt are going to be fresh to market, as it were. And, indeed, that appears to be the case following an initial HIBP team analysis: “We hadn’t seen about 7.4% of them in HIBP before,” Hunt confirmed, “which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block.”
Forbes41 Microsoft Zero-Days — Now Millions Of Users Face Update ChoiceBy Davey WinderFBI Stolen Credentials Handover: How To Check If Your Passwords Are On The List
The good news is that all of the stolen credentials, all those compromised passwords, are now searchable from a single location, which leaves you a second or two away from discovering if any of yours are included.
Head to the Pwned Passwords service, and enter your password. Don’t worry, it’s perfectly safe and won’t put your passwords in any danger, just the opposite in fact. “No password is stored next to any personally identifiable data such as an email address,” Hunt said, “and every password is SHA-1 hashed.”
Most importantly, do it now so you can change any passwords that are already compromised before your accounts fall victim to credential-stuffing attacks. I would also recommend that you use a password manager. Oh, and enable passkeys on any accounts that support them. Then there’s the small matter of activating two-factor authentication on all your accounts as well. Stay safe, even when the FBI finds the next big stolen password haul. It’s only a matter of time.
ForbesHas Your Gmail Password Been Hacked? Check Now, Here’s HowBy Davey WinderDon’t Ignore This FBI Discovery — Use A Password Manager Now
OK, so I’ve already said you should use a password manager, but is that safe? It’s a question I get asked all the time, especially after I have published reports about a password manager data breach, or the latest hack attacks. My answer is always the same: yes, absolutely. There is never any doubt in my mind, as an old hacker myself, and for good reason: password reuse and weak passwords make the life of a hacker so much easier. Believe me. The two are most certainly not mutually exclusive, quite the opposite, in fact. People use weak passwords because truly random, truly complex, truly strong ones are almost impossible to remember unless you are some kind of memory savant. Not totally so, of course, I know my 25+ character random master password that unlocks my password manager vault off by heart. I couldn’t actually tell you what it is without a keyboard in front of me, as it’s a muscle memory thing, at least that’s what I call it. I only need to remember the first five characters, and the rest just follow automatically. But even that password would not be considered strong in any way if I were to then refuse it across all my accounts because if one got compromised, then they all get compromised.
It doesn’t matter which password manager you use, provided it is from a trusted vendor. I always recommend standalone managers and apps rather than ones that are part of a web browser, as I prefer some level of separation between the two. But something like Apple Passwords, which comes free with iOS and macOS, is just as good a recommendation as the commercial 1Password application, in my opinion. Don’t let this latest FBI warning go to waste; use it as an opportunity to up your password game.
ForbesGoogle Confirms Critical No Password Required Attack — Act NowBy Davey Winder