A Russian hacker called the “Collector” has been found with millions of account credentials. This hacker most likely didn’t obtain the information by himself, but merely collected it from places on the dark web. The fact that this type of sensitive information can be obtained without any real hacking skills is troubling. Think about all the recent breaches that have occurred. Now think about all the credentials obtained in those breaches being available to the world. Most individuals compromised in the breaches likely changed their passwords, but how different did they make their passwords? Also, believe it or not, some people probably still use those same passwords on other websites. Hackers use tools to try the compromised passwords on various websites, identify the passwords and credentials that still work and then do reconnaissance to see what the accounts allow them to do (e.g., make bank account withdrawals and transfers). Various tools are being implemented by companies to protect from these automated attacks such as identifying when a user logs in from a different computer or blocking access from certain IP addresses. These measures reduce the risk that hackers can use compromised credentials, but the best hackers are still one step ahead of most of these tools.
These type of news stories highlight the need to change account credentials and implement multi-factor authentication or other tools such as password keepers. We realize it’s a pain to change your passwords, but would you change the door lock on your home if you thought someone else had a key? Password tools can help develop more complex passwords with sufficient entropy to make password guessing more difficult. Password tools can also store these more complex passwords so users don’t need to remember them. Then, when accessing various website accounts a plugin will populate your login credentials so you don’t have to.
Awareness is also a powerful tool to combat hackers. Awareness that your credentials may have been compromised in a breach, and changing those credentials on every other site where those passwords are used is also a good practice.