Data breaches and old passwords

 

TL;DR: Heard about the "16 Billion Credentials Leak"? Don't panic, it's mostly a repackaging of older breaches.
✔ Use a password manager
✔ Enable multi-factor authentication (MFA)
✔ Check your email on Have I Been Pwned
✔ Take action where needed, but stay calm and take a risk-based approach.
☕ And maybe... have a coffee while you're at it.

There's plenty of chatter in the news about the "16 Billion Credentials Leak". Once again, it's claimed to be "the biggest breach in history", the result of (insert latest buzzphrase here) "Infostealer malware", and to really maximise click-bait potential, media outlets throw in "Facebook, Google, Apple services are at risk". Sure, there's elements of truth in these claims, but let's remember what really matters: a calm, measured, risk-based approach. Even better if the discussion can be had over a nice cup of coffee 😉 

I've extolled the virtues of password managers for many, many years now. If you've followed some simple guidelines, data breaches are relatively simple to manage. Unfortunately it's rare that you'll be shown the actual password that was leaked, more likely you'll find out via news reports or a third party service that your email address was involved in a breach. 

This is because passwords are usually stored in a hashed format (or should be, if best practices are followed). Since hashing is a one-way function, it's not possible to reverse it to retrieve the original password, by design. When you log in to a service, the system hashes whatever you type in and compares it to the stored hash. If it matches, you're in. If not, "you shall not pass!" 

That said, in some breaches, passwords are stored in plain text (sadly, this still happens). Even then, the entity disclosing the breach may withhold the full credentials to avoid legal or ethical issues around redistributing confidential information. You might be lucky enough to be told “hey, a password ending in xyz has been leaked”. If so, you can check your password manager for likely matches, quickly change those passwords, enable multi-factor authentication if you haven't already, and check for malicious activity that may already have occurred on those services. 

Speaking of third party services, you might already have signed up for Troy Hunt's Have I Been Pwned service, which can notify you if your email address appears in a data breach. Troy is well known for collaborating with CERTs, governments and researchers to help responsibly distribute breach data to affected parties. 

He recently posted on LinkedIn that his site had seen a massive spike in traffic - unsurprising, given how many people were checking if they’d been affected by the "16B Leak"! More on that in a moment, after I've taken a few more sips of this coffee (and ranted a little more on password risk management).

Even if you don’t use a password manager, maybe you've taken a risk-based approach to password hygiene: letting your browser save credentials for low-risk services like shopping carts (without saved payment details) or news sites, while memorising strong passphrases for critical services like banking and social media. Hopefully, you've also enabled multi-factor authentication, and/or passkeys to protect yourself against financial and reputational loss. 

Most larger organisations will have incident response playbooks for events like this. They’ll typically receive a (secure) copy of leaked data from a third party and use it to identify internal accounts at risk. Often, this triggers automated workflows or notifications from the service desk to affected users, requesting password changes or security reviews. Some companies have these processes well tuned, to minimise manual effort and maximise speed. 

Now that this cup of incredibly delicious coffee has done its work, let's circle back to the point: There almost certainly wasn't anything new in this "16B credential leak". While we should never downplay the severity of data breaches, overreacting without facts doesn’t help either. In this case, we now know the 16 billion credentials were mostly a compilation of older data breaches, often sourced from infostealer logs, and organised for easier resale (on illegal markets) or reference.

That still means you should take precautions: check your accounts, change any affected passwords, and enable MFA. But don’t panic! Breathe, review, act rationally... and maybe pour another cup of coffee. ☕