Billions of stolen and leaked email addresses and passwords have been traded on hacker platforms over the years, and there’s a chance one of yours has been among them at some point or other.
Once hackers get hold of login data, they typically either use it to gain access or sell them. Either way, the user loses.
Victims of identity theft will often have to pay for orders placed in their name. However, the damage is by no means always only financial.
If hackers have had access to private data or photos stored on an online storage service, this can be extremely stressful, with a psychological effect similar to knowing a burglar has been in your home.
That’s why, to avoid being caught out, we all need to regularly check that none of our passwords are currently circulating the web.
Thankfully, this is easy, and you just need to query one of the several Internet security database that keep records on leaked and stolen data that has become available online.
Among the best known is haveibeenpwned.com, where you enter your email address or phone number to instantly find out if you’ve been “pawned” and where.
It doesn’t hurt to check several databases on a regular basis. After all, it may be that one security researcher has data records that the others do not have.
Mozilla’s leak query service Firefox Monitor also uses the “Pwned” database, and works almost identically, but differs in one practical detail.
You can also register on the Monitor page with an email address and will then be informed immediately if your own identity data should appear on the net.
Any passwords you save in the Chrome browser or password manager 1Password will also prompt an alert if they are found to have been shared online.
The Hasso Plattner Institute (HPI) in the German city of Potsdam also has a query option called Identity Leak Checker, where you can enter your email address.
A database comparison then checks whether the email address has been disclosed on the Internet in connection with other personal data such as telephone number, date of birth or address and could be misused.
If there is a hit with one of the services, you’ll need to make sure you’re not still using this leaked password on any service.
Unfortunately, if a password doesn’t get any hits on any major databases that does not necessarily mean that it’s completely secure, and you’ll still need to create complex passwords that are hard to guess.
You’re also better off activating two-factor authentication (2FA) wherever it is offered, which requires an extra confirmation (usually on a smartphone) whenever there’s a login on your account.
Since hackers are very likely to try out stolen login details on various popular sites, your passwords should not only be strong, but also unique to each individual service – even and especially where no 2FA protection is offered.
If you struggle to remember various complex passwords, then a password manager may help. In general, a well-secured email account is particularly important because it often represents a kind of master key for many other services that send links to reset the password by email. – dpa