If you’re an internet user, you have likely experienced some of your personal information going missing. It’s simply a part of online life. However, this recent finding, reported by Wired, is unusual.
Security analyst Jeremiah Fowler discovered a publicly accessible online database containing over 180 million records (specifically 184,162,718) which equated to more than 47GB of information. There were no signs indicating the owner of the data or who uploaded it, which is not typical for such online databases, according to Fowler. He found emails, usernames, passwords, and URLs that connected to the sites associated with those credentials.
The accounts included significant platforms such as Microsoft, Facebook, Instagram, Snapchat, Roblox, Apple, Discord, Nintendo, Spotify, Twitter, WordPress, Yahoo, and Amazon, along with banking and financial accounts, health organizations, and government accounts from at least 29 countries. This includes nations like the U.S., Australia, Canada, China, India, Israel, New Zealand, Saudi Arabia, and the UK.
Fowler submitted a responsible disclosure notice to the database’s hosting provider, World Host Group. He was able to notice indications that the credentials had been taken via infostealer malware, a type of software used by malicious actors to gather sensitive information from various platforms, including web browsers, email services, and messaging applications.
After Fowler’s notice, World Host Group restricted access to the database. The provider informed Wired that the database was managed by a customer, a “fraudulent user,” who uploaded illicit content to the server.
To verify the legitimacy of the credentials, Fowler reached out to some of the email addresses found in the database. He got responses, and those users confirmed the records associated with their email addresses. While this doesn’t guarantee that all 184,162,718 records are accurate, it’s a promising indication that most are. Thus, it’s very possible that both you and I had our credentials exposed in this database. Worse yet, Fowler mentions there’s no way to know how long the database was publicly accessible before his notice led to its shutdown.
There’s a lot that malicious actors and hackers can do with this type of data. If they obtain the username and password combination for one of your accounts, they’ll not only check if they can access that specific account but will also attempt to use it on your other accounts. If you tend to reuse passwords, as many people do, you could encounter a widespread breach. It’s concerning enough when it involves Facebook and Roblox accounts, but considering there were financial, health, and even government accounts present, the consequences are significant.
How to safeguard yourself
If you don’t have access to the database, you can’t definitively say whether your credentials are included or which ones are present.
Nonetheless, if it has been a while since you changed your account passwords, now might be an appropriate time to do so. You don’t need to change your passwords as often as traditional security guidelines suggest, but it wouldn’t hurt to perform a quick security review of your accounts.
Ensure you’re using a strong and distinct password for each of your accounts. If you repeat passwords, you risk credential stuffing (hackers attempting the same stolen password on multiple accounts). To help manage your passwords, utilize a secure password manager.
Make certain to enable two-factor authentication (2FA) on all accounts that provide it. This way, even if a password is compromised, hackers won’t be able to access your account without the device that has the 2FA code. To enhance your security, try to avoid SMS-based 2FA when possible, opting for more secure options such as an authenticator app or a physical security key. If available, consider using a passkey to combine the convenience of a password with the protection offered by 2FA.
Comprehending Two-Factor Authentication (2FA)
Two-factor authentication aims to stop unauthorized individuals from accessing an account by merely having a stolen password. Users might be at a higher risk of having their passwords compromised than they think, especially if they reuse the same password across multiple sites. Installing software and clicking on links in emails can also put someone at risk for password theft.
Two-factor authentication consists of a combination of two of the following elements:
- Something you are aware of (your password)
- Something you possess (like a text containing a code sent to your smartphone or another device, or a smartphone authenticator app)
- Something that identifies you (biometric data like your fingerprint, face, or retina)
- 2FA is not limited to online scenarios. It is also utilized when a consumer must input their zip code prior to using their credit card at a gas station or when a user has to enter an authentication code from an RSA SecurID key fob to remotely access an employer’s system.
Instances of Two-Factor Authentication (2FA)
Apple users can implement 2FA to guarantee that accounts can only be accessed from trusted devices. If someone attempts to log in to their iCloud account from a different device, they will need both the password and a multi-digit code that Apple will send to one of the user’s devices, such as their iPhone.
Numerous businesses also utilize 2FA to manage access to corporate networks and sensitive information. Employees may need to input an additional code to log into the remote desktop software that allows them to connect to work computers outside the office.
Special Considerations
While 2FA does enhance security, it is not infallible. Two-factor authentication provides an extra layer of verification beyond just entering a PIN or CVV number from a credit card.
However, cybercriminals who obtain the authentication elements can still access accounts without authorization. Common methods include phishing schemes, account recovery processes, and malware.
Hackers can also intercept text messages used in 2FA. Critics contend that text messages are not a true form of 2FA since they aren’t something the user already possesses, but rather something sent to the user, making the procedure vulnerable. Instead, critics suggest that this method should be labeled as two-step verification. Some organizations, like Google, adopt this terminology.
Nonetheless, even two-step verification offers better security than relying solely on password protection. Even more robust is multi-factor authentication, which necessitates more than two elements for access to an account.
Leave a Reply