What To Do If My Password Was Found in a Data Breach
What should you do if your password is stolen? At SpyCloud, that’s something they think about a lot.
SpyCloud maintains the largest and most up-to-date collection of recaptured data from breaches, malware-infected devices, and other underground sources. A portion of these credentials are found in the same combo lists that criminals are using today in successful credential stuffing attacks. Others are from sources that only SpyCloud has obtained access to that help thwart account takeover (ATO) and prevent fraud before the assets are available as commodities on the criminal underground. Should your credentials ever appear in our datasets, we recommend you take immediate action to protect yourself.
But how do you know if your data has been exposed? Check your exposure here – simply enter your email address and we can tell you how many times your credentials have been found in third-party data breaches recaptured by SpyCloud on the criminal underground, as well as how recently your data was exposed.
Four Steps to Take After Your Password is Stolen
In terms of remediation, your first order of business is to change your exposed password. But that’s not all you need to do in order to contain the damage. Failure to act quickly may result in the compromise of additional accounts, especially if you reuse passwords. Even if you don’t reuse passwords, your compromised information may be enough for criminals to pivot off of to then target other accounts. We suggest following this checklist to protect yourself from potential future attacks.
Here is what to do when your password is stolen:
- Change the compromised password immediately. We highly recommend the use of a long, complex password containing random letters, numbers and special characters.
- Change all variations of the compromised password on any of your accounts and never use it again. It’s not enough to monitor other accounts using the same or a similar password for suspicious activity.
- Enable multi-factor authentication (MFA) for all of your accounts where MFA is an option.
- Implement a password manager so all of your passwords are unique and easily managed. It’s common for people to have more than 100 online accounts, each requiring their own unique password. Most password managers auto-generate complex passwords. Any password that is easy to remember is also easy to guess – this is why the strongest passwords are generated automatically using a password manager.
Top Tips for Stronger Passwords
Password hygiene seems like a simple concept, but SpyCloud research shows a 64% password reuse rate for users with more than one password exposed in the last year. To avoid your password being compromised, follow our recommendations for stronger passwords and stronger account protection overall:
- Choose a complex, 16+ character password or passphrase– Our testing revealed that passwords with 16+ random letters, numbers and characters, regardless of hashing algorithm used, would require centuries to crack.
- Make passwords unique across accounts– Use a different, complex password for every online account.
- Don’t mix business logins with personal accounts– Mixing business with pleasure means that a breach of a work site can jeopardize your personal life and vice versa.
- Use multi-factor authentication (MFA) whenever prompted– Though MFA is not unhackable, providing something you know (a password) plus something you are (biometrics) or something you have (smartphone token) will deter most criminals.
The SpyCloud Difference
SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.