Why You Shouldn’t Panic When You’ve Been Pwned

At latest count, there are more than 7.8 billion compromised accounts listed on Have I Been Pwned. You've probably heard about the Equifax, Yahoo, and Marriott breaches. Those alone account for nearly 2 billion username and password combinations. Then there was Collection #1, 773 million email addresses and passwords combinations that appeared in January 2019 for a mere $45.

There's a big data breach with shocking regularity. When it turns out to be a service you use, the initial reaction might be panic. Was my account involved? Which passwords do I need to change?

Take a deep breath. First, find out whether your information is out in the wild.

How to Find Out Whether You've Been Pwned

There are a number of ways to find out whether your credentials have been compromised. The most popular is the site Have I Been Pwned. Security expert Troy Hunt collects all the stolen data he can find, and allows you to see what information others may have about you and how they got it. Enter your email address, and see what information is floating around.

CBT Nuggets trainer Keith Barker put together a short video for his Workforce Security Awareness training on how to find out whether you've been pwned.

Given the sheer volume of breached data, it's likely you've been pwned. You are right to be concerned, but don't panic.

You've Been Pwned for a While

So, you jump on the Have I Been Pwned site and type in your email. You just found out you've been pwned. Now notice the dates on the listed breaches. It might not be the greatest consolation, but you've been pwned for a while. There are a few reasons for that.

Companies don't know they've been breached

Data breaches aren't like a bank robbery in broad daylight. They're like heists. No one knows until it's too late. (Think Mission Impossible, not Point Break.) Many times companies aren't alerted to a breach until troves of their data show up for sale online. In the Yahoo breaches, hackers had been extracting data for months before they were noticed. Systems are only as secure as their weakest link.

Companies are slow to announce a breach

There are many reasons a company doesn't immediately announce a breach. They have to formulate a response, cooperate with law enforcement, and determine their legal liability. (Or dump company stock, like some Equifax executives.) They also have to find out how malicious actors got into their system in the first place. If they announce a breach, they're essentially advertising a weakness in their system. That could open them up as a target for yet another breach.

Have I Been Pwned is an aggregator

Have I Been Pwned doesn't know about a breach until the world does. They operate by analyzing database dumps and paste bins for usernames, emails, and passwords. Sometimes these are reported by good Samaritans who stumble upon them in the depths of the dark web. In other cases, the information is gathered automatically by bots. A well-known example was the now-defunct Twitter-bot called Dump Monitor.

The bad guys play a continual cat-and-mouse game with good guys — and the bad guys have the upper hand. By the time the details of a breach get to the good guys, your data has already gotten around. Armed with this knowledge, hopefully, the reality has set in that by the time you find out you're pwned, it's already too late. It's safer to just assume you've already been pwned.

Password Managers Can Be Your Friend

Before you roll your eyes, understand that password management software isn't as complex or pricey as it once was. Some even have free versions. Perfect for personal use.

So how does a password manager keep you from getting hacked? Think of it this way. If you log into ten different accounts today, how many unique passwords do you type in? We would guess the answer is probably somewhere close to ONE. If that's the case, then you're opening yourself up to auth attacks.

Password managers solve this by auto-creating complex passwords that can't be brute-forced. You never even need to know or think about the actual password. The password for each account is unique, ensuring that if hackers get access to one password, they are only able to compromise that one account.

Today's password managers really add no complexity to the login process, as they autocomplete login fields as needed. The only complexity is the initial setup, which is a hassle. But it's like sunscreen — once you apply it, it can stop you from getting burned.

There are several different methods that each work well enough on their own, but combined they create a fortress. The best approach for you will likely be a mix of several methods and vendors, so you'll want to pick and choose until you achieve your security goals.

Turn On Two-Factor Everywhere

Let's tick the paranoia up a notch (for good reason), and get two-factor authorization (2FA) into the mix. If you've ever entered a unique code from a text, phone call, or authenticator app into a field after you've logged in with your password, that's two-factor.

These days, 2FA is available on most sites and email systems. While it might be an inconvenience to use it everywhere, it should definitely be on all your banking, social media, and shopping sites. In using 2FA, you're eliminating the password as a weak link.

Let's assume someone has your password, or the means to crack your password. Unless they have your phone (and the code for your phone), then they're stopped dead in their tracks. With enough time and sophistication, they can get around it.

The downside of 2FA is that it takes an additional step to log in. Even if it makes your life slightly more difficult, imagine what hackers have to go through to circumvent it. That being said, there are still brute-force and phishing vulnerabilities in 2FA, so it probably shouldn't be your sole line of defense.

Pro Move: Get a Security Token

The next step is to get physical — with a security token. These are small hardware devices that contain an encryption key. No token. No login. It's that simple. The two popular tokens are Yubikey and Titan, both of which have strengths and weaknesses.

Using a hardware security key might seem like stepping back in time, but physical security tokens are foolproof. They can serve as the authentication method for your password manager, and critically, as the only method to gain access to your email accounts. Your email address is, in some respects, your greatest vulnerability. If a hacker can log into your email, they now have access to the password recovery function on every one of your accounts.

Keeping track of another piece of hardware might seem like an inconvenience. However, if you utilize a physical security token, a hacker would literally need:

· Your password

· Your unlocked phone

· Your hardware token

In order to gain access to any of your accounts. In this era, we'd call that as close to foolproof as you're gonna get.

Don't Panic. Be Prepared.

There's a hard truth about security. Companies with credentialed user access (i.e. – username and password) typically favor ease of account access over security. And you probably do, too. Think about the frustration you feel when you have to enter a code from a text or authentication app.

We expect to be able to access our online accounts instantly and with complete security. While there are definitely ways to accomplish this, we have to take time, in the beginning, to put into place some important measures, and there is a bit of a learning curve involved.

The moral here is that you don't have to stress and react to a breach if you've taken these steps to safeguard your info. Of course, the actual process is a bit more involved, but there are some really good training resources that you can complete in a couple of hours to guide you. A course in Keith Barker's Workforce Security Awareness would help fill in the blanks and get you ahead of your security needs before disaster strikes. We'd consider that time well spent.