ABC57 INVESTIGATES: Local expert gives advice after 16 billion passwords leak
VALPARAISO, Ind. -- While news of a massive password leak has become common, many were left stunned by the “unprecedented” scale of a recent data breach.
Sixteen billion login credentials have been recently leaked from “any online service imageable” including Apple, Facebook and Google, according to researchers at cybersecurity outlet Cybernews.
In the report published last week, Cybernews researchers found 30 datasets that contained billions of compromised login credentials, leaving many consumers vulnerable on multiple platforms.
Cybernews researchers noted that the leak did not originate from a single breach. Instead, the data was stolen through multiple leaks and then compiled.
The datasets were only exposed briefly, long enough for Cybernews researchers to discover them but not long enough to find who controlled the data.
The likely culprits are “infostealers” who use malicious software that breaches devices and systems to take sensitive data, according to Cybernews.
For Nicholas Rosasco, a computing and information science professor at Valparaiso University, these types of attacks are nothing new.
“The scale is sad and unprecedented, but you’ve been through a bunch of these before,” Rosasco said.
“Go to the site in question to change your password, do not click on an email link unless it was generated in response to your request.”
It is now common for consumers to use logins for Google or Apple for multiple different sites, which Rosasco said creates a higher risk since only one login is used.
From the leak, phishers know what accounts consumers have, even if they do not have the actual password, Rosasco said.
“[The breach] makes you much more vulnerable to what's called a phishing attack, where they're going to say, ‘Hey, I'm insert name of company. I think it's time for you to reset your password, because we just have this problem. Please click on this link,’” Rosasco said.
“That link may or may not go where you would expect it.”
While the dataset of login credentials has been leaked, Rosasco said passwords are not normally stored as what a consumer would know them as.
Many institutions use a “cryptographic hash” to store login information, Rosasco said.
“If my password is ‘potato,’ Amazon does not have the word ‘potato.’ They have the mathematical results of grinding it through this algorithm or a hash,” Rosasco said.
“So this blob is stored, and when I type my password again, they run exactly the same procedure and they compare the new blob to the blob they have on file. If they match, it’s probably me.”
A hash function is not reversible, Rosasco said, so a password cannot be found using only the hash. However since hash functions are well known, common passwords can be run through the hash algorithm and matched to stored hashes.
One method to strengthen a hash is to add “salt,” Rosasco said. The “salt” refers to extra characters, unique to the consumer, that is added behind-the-scenes to the hash, he said.
“We store the fact that we are adding that little bit and what that little bit is so that we can replicate that comparison every time,” Rosasco said. “But that makes it a little bit harder for somebody to just actually hash the entire dictionary.”
Changing a password to include numbers or symbols, like “p0tato,” creates a different hash, making it more difficult for the password to be guessed, Rosasco said.
Ultimately, the only way consumers can protect themselves from data breaches is to change and use unique passwords consistently.
“Embracing the complexity rules is a good idea,” Rosasco said.
“Try to stay away from these easily identifiable words, numbers [and] phrases. Try not to use birthdays. Try not to use old addresses. These are really common, guessable things that people will start stacking.