Password leaks and how to deal with them

At the beginning of April 2021, information was published that personal data of more than 500 million Facebook users had surfaced in a hacking forum.

Although this data dates back to 2019 according to Facebook, it could still be used today for the purpose of further attacks [1].However, Facebook is by no means the only company to be the victim of a data leak: for the year 2020 alone, Wikipedia lists 29 companies from a wide range of industries that were also victims of a data breach – and these are only the data breaches about which the public has been informed [2]. If you add up the stolen data records of these 29 companies, you arrive at a figure of just under 1.2 billion. The number of unreported cases and stolen data records is probably higher. For companies and private individuals alike, the question is: how can this situation be dealt with? Basically, we can identify two components in the strategy, which we would like to highlight below.


Watch password leaks activities
For most of those affected by the data leaks, it is impractical to download the stolen data sets themselves and check whether their data is included. In the meantime, freely available services have been established that do exactly that for the user: identify current data leaks, obtain these data sets and process them. As a result, a user can quickly and easily find out via a web interface whether their data (mostly email addresses) were part of a data breach or not. One of these services, and probably the best known, is Have I Been Pwned [3]. For companies, the “domain search” feature could be particularly interesting: as soon as an email address of affected domains is identified within stolen data records, the company receives a notification.


Draw consequences from the leaks
What can be done if one’s own data or even those of company accounts have actually been verified as among those stolen? Now, above all, the right conclusions should be drawn, which should go beyond simply changing the passwords of affected accounts. For example, companies can ask themselves why employees are using the business account for non-business platforms or applications and how this can be prevented. In addition, they can generally consider how to promote the use of password managers among employees. A password manager can be of great benefit as it can assist users in creating random passwords of sufficient strength, among other advantages; of course the data is stored sufficiently strongly encrypted. Their usage is also highly recommended for private individuals. The combination of the measures mentioned can reduce the risk of password reuse and subsequent successful credential stuffing attacks in the long run. A detailed report highlighting current findings and the dangers of credential stuffing attacks is given as a link [4].


Successful cyber-attacks on businesses will probably always be a permanent element in the modern world. Even if the individual incidents can neither be prevented nor predicted, we can confidently continue to work on the strategy for dealing with the resulting risks.






Hard Coded Credentials for Dummies
Who is Hacker's favorite?