Were You Part of a Data Breach?

Compromised Emails, Account Hacks, and Bad Passwords

Data Breach Statistic - Digital Teal Stopwatch Face Displaying 39 Seconds

There’s nothing scarier than the things lurking in the shadows of the internet. Unfortunately, hacking is a growing business and experienced hackers are behind every dark corner of the web. Everyone who uses the internet is at risk of a data breach, and it’s safe to assume that your personal information has already been compromised.

According to security researcher and Microsoft Regional Director Troy Hunt, the more someone signs up for online services, the more vulnerable they become. “You sort of leave these little traces of yourself all over the internet, and as time goes by, those traces just get larger and larger.” In other words, the chances of your data being leaked continue to grow the longer you use the web.

More than 14 billion records have been exposed since 2005. These leaks include usernames and passwords, emails, credit card numbers, and home addresses. And with hacks taking place every 39 seconds, there’s a high chance your information has already ended up in the wrong hands.

It takes most companies over six months to detect a data breach.


Your information may have been exposed without your knowledge. Unfortunately, you may never be notified of the breach in the first place. There is no central federal law for data breach disclosures, and each state handles the situation differently. States like Illinois have strict requirements, but some states only require disclosure if the company has proven damages. Since there’s much gray area in the matter, it’s best to recognize the warning signs of a compromised account.

Signs Your Information May Have Been Compromised

  • Your email provider alerts you of a suspicious login attempt
  • Your password has been changed without your permission
  • There is activity on your social media accounts from a foreign location
  • Your online bank account is missing money
  • You’ve been notified of out-of-state or international credit card charges
  • A declined transaction on your debit card
  • Your PayPal account was used to purchase a gift card

Have I Been Pwned

Pwned Dictionary Description

Remember the security researcher we mentioned earlier, Troy Hunt? If you suspect your data has been compromised, he is your best bet. Troy is the cyber genius behind Have I Been Pwned (HIBP). It’s a site that catalogs billions of compromised records found in data dumps—collections of exposed database information made available to the public.

“When we see data breaches where a company, like, say LinkedIn, is hacked and their data is ultimately spread across the internet, I grab these data breaches, I aggregate them into a service, and I make them searchable so that people can discover where they’ve been exposed.”

His collection includes 9.5 billion compromised accounts and 4 billion unique email addresses. Troy even provides a service to alert people if they’ve been involved in any future breaches, free of charge. We recommend heading over to the site and searching his records. You’ll be surprised at what you find.

Don’t worry. Troy doesn’t store your passwords with your email. However, he provides a password lookup option too. “Separately to the pwned address search feature, the Pwned Passwords service allows you to check if an individual password has previously been seen in a data breach. No password is stored next to any personally identifiable data, such as an email address.”

Your Password is the Problem


Most of us reuse passwords, and hackers are counting on that. For example, the password you use for your Comcast account is potentially the same one used for your email and online banking login.

“If you’re a clever hacker, you’re not only going to use those details to break into accounts on that one site. You’re going to see if they work on something else. The problem there is that people are using the same password on multiple websites and services.”

Statistically, your password is easier to crack than you think. Cybersecurity expert Amichai Shulman found that if you take the top five thousand most common passwords, you can access 20 percent of all the internet’s accounts.

Cartoon, Masked Hackers Performing Data Breach

The Internet’s Most Popular Passwords


With popularity comes vulnerability. The UK’s National Cyber Security Centre (NCSC) analyzed the top 100,000 passwords leaked from international data breaches. The most popular password, “123456” was used by over 23 million breached accounts in the dataset. If you see your password on this list, change it before it’s too late.

TOP 100,000 PASSWORDS
  • 123456
  • 123456789
  • qwerty
  • password
  • 111111
  • 12345678
  • abc123
  • 1234567
  • password1
  • 12345

The Internet’s Most Popular Passwords


With popularity comes vulnerability. The UK’s National Cyber Security Centre (NCSC) analyzed the top 100,000 passwords leaked from international data breaches. The most popular password, “123456” was used by over 23 million breached accounts in the dataset. If you see your password on this list, change it before it’s too late.

123456    –    123456789    –    qwerty    –    password    –    111111     –     12345678     –     abc123     –     1234567     –     password1    –    12345

TOP 100,000 PASSWORDS

How is Breached Data Used?


After data is stolen, hackers will sift through the dataset for authentication credentials, names, and financial information like credit card numbers. Hackers typically will sell these details in bulk. In the majority of cases, compromised data gets sold on the dark web.

The internet is broken up into three levels— the surface, deep, and dark web. Most of us use both the surface and deep web daily. The surface web is made up of websites that can be found on Google, including blogs and business sites. The deep web makes up the majority of the internet. These are sites that cannot be found on Google, like your Amazon shopping cart or online access to your bank account.

The dark web, however, is a gathering place for those who have much more sinister intentions. Its sites cannot be found on Google, and they require special software to access them. Among the dark web is a handful of marketplace sites. Here, you can purchase anything you can imagine—drugs, guns, slaves, and stolen identities, among other illegal things.

How is Breached Data Used?

After data is stolen, hackers will sift through the dataset for authentication credentials, names, and financial information like credit card numbers. Hackers typically will sell these details in bulk. In the majority of cases, compromised data gets sold on the dark web.

The internet is broken up into three levels— the surface, deep, and dark web. Most of us use both the surface and deep web daily. The surface web is made up of websites that can be found on Google, including blogs and business sites. The deep web makes up the majority of the internet. These are sites that cannot be found on Google, like your Amazon shopping cart or online access to your bank account.

The dark web, however, is a gathering place for those who have much more sinister intentions. Its sites cannot be found on Google, and they require special software to access them. Among the dark web is a handful of marketplace sites. Here, you can purchase anything you can imagine—drugs, guns, slaves, and stolen identities, among other illegal things.

“You’ll just go through the listings like you’re on Amazon or eBay or whatever, and you’ll come across something pretty interesting like 70 percent of the time… I just came across this vendor who said he was selling Uber accounts. I thought, ‘Well, that’s pretty interesting.’ And then we looked into it, and there were a hell of a lot of people selling stolen Uber accounts on the dark web.” — Joseph Cox, Motherboard

There’s big money to be made in the dark web data trade. Individual accounts go for pennies on the dollar. The problem is that most hackers have access to hundreds of thousands of accounts from the same dataset. Some of the most significant breaches have affected millions of users. For example, the 2017 Equifax hack exposed the sensitive information of 148 million Americans.

  • Social Security Numbers: $1
  • General Website Logins: $1
  • Credit or Debit Cards: $1-110
    • With CVV: $5
    • With Bank Info: $15
    • Fullz (Complete Identity): $30
  • Driver’s License: $20
  • Online Payment Account (Paypal): $20-200
  • Loyalty Account: $20
  • Subscription Services: $1-$10
  • Diplomas: $100-400
  • US Passports: $1,000-2,000
  • Medical Records: $1,000
Data Breach Statistic - Teal Text Reading 600 Billion Dollars

Although these prices are relatively low, cybercrime is more profitable than the global illegal drug trade. While the illicit drug industry reaps in $400 billion annually, the sale of compromised data earned a total of $600 billion in 2018.



Resources


It may come as a shock that social security numbers are worth less than a cup of coffee, but there isn’t much one can do with one unless they want to commit complex crimes like tax fraud. Typically, hackers go for low hanging fruit like usernames and passwords because it’s easy money.

However, don’t panic if you have been involved in a data breach. Most of us have. If you haven’t been involved in a data breach, consider yourself lucky. Either way, there are specific steps to take to help remedy the situation.

1. Confirm the Breach

Search billions of data breach files to see if you’ve been involved in a public breach. Note that not all breaches will be made public, and some companies have not yet discovered the security breach.

Have I Been Pwned?

2. Change Your Passwords

Use the Pwned Password feature to see if your credentials have been exposed. A compromised password should no longer be used. Its exposure puts your other accounts at risk. How to Change Your Password

Pwned Passwords

3. Change Your Passwords

Get notified of future breaches. HIBP will alert you if your email address appears in an upcoming data dump. 

Notify Me

4. Use a Password Manager

Password Managers encrypt passwords. HIBP recommends 1Password, but there are many to choose from. “Your logins and private documents are securely stored in your password vault. This keeps your information locked away from thieves, hackers, and other unsavory types.”

1Password

5. Alert People

It’s time to get ahold of customer support if you’ve seen suspicious activity on your online bank, PayPal, or credit card accounts. The sooner you alert your financial institutions, the easier it will be to recover the charges or re-secure your account.

PayPal Fraud Protection
Flat Isometric Design of 6 People, Large Clipboard, and Pencil