3.2 billion emails and passwords exposed online — what you need to know

News
By
published

Big batch of stolen credentials

Businessman makes a phone call as the words 'Security Breach' pop up on his computer screen.
(Image credit: Rawpixel.com/Shutterstock)

A whopping 3.2 billion password-username pairs are up for grabs in an unnamed online hacking forum. But don't panic — the data is nothing new. It's a compilation of stolen credentials from dozens of old data breaches, some going back ten years.

That doesn't mean you shouldn't be aware that your old passwords are floating out there. Yes, your passwords, and ours too. Pretty much anyone who's ever created more than three online accounts has had a password compromised by now.

This new treasure trove of dusty old data was publicized by Lithuanian English-language website Cybernews, which says the compromised credentials are a mishmash of data from breaches at LinkedIn (2012, 117 million compromised accounts), Netflix (we don't actually remember any Netflix data breach) and others. 

We haven't seen the data ourselves, but we imagine that the massive Yahoo breaches of 2013 (3 billion) and 2014 (500 million) are probably in there somewhere. 

Cybernews said the database is being advertised as the "Compilation of Many Breaches (COMB)." It's in a password-protected container, and the data has been cleaned up, categorized and made searchable. The password to the container is available to authorized users of the hacker forum.

"Most of the contents are almost all publicly available," the poster who put up the link in the hacker forum writes in a screen grab captured by Cybernews. "All data is in an alphabetical tree-like structure," and "a query script is included."

The link poster said the total number of credentials amounted to 3.8 billion, but Cybernews got hold of the data and boiled it down to 3.2 billion after removing duplicates.

How you can minimize the damage from data leaks

So what do you need to do about this? You can use Cybernews' own data-leak checker, which claims to hold 2.5 billion compromised email addresses, to see if your email address is in the mix. 

You can also use Australian security researcher Troy Hunt's HaveIBeenPwned website, which checks both your email address and your password, but never at the same time. Odds are that at least one of your old passwords and some of your email addresses are in at least one of these databases. 

But overall, you need to observe a few simple rules.

1) Data breaches happen, and it's not your fault.

2) Don't reuse passwords. If you do, a data breach affecting one of your accounts will affect many others too.

3) Make all your passwords strong and unique.

4) Using one of the best password managers will make Rules 2 and 3 easy to follow.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.