Did Your Password Leak Online? And What To Do About It
Chances are, if you’re reading this, you’re in a situation you don’t want to be in. Maybe you’re suddenly unable to log into your account, you’ve noticed some suspicious activity in your bank statements, or you’ve woken up to unwanted threatening emails.
In the modern world of cyberattacks, it is not a rare occurrence for people to make mistakes online resulting in being hacked. You weren't the first and you certainly won't be the last to have your password leaked online.
Take a moment to calm yourself down. This article will walk you through what you need to prepare for, the immediate steps you need to take, and how to guard against this happening again.
What Is the Risk of Password Leaks?
Every time we create an online account, we are essentially putting our personal data in the hands of strangers. We can hope that these companies are using proper security measures, but ultimately we have no control. Data breaches are an unfortunate possibility.
A data breach is a high-risk security violation, in which sensitive, protected, or confidential data is compromised. An unauthorized individual exploits the data by accessing, viewing, copying, transmitting, or stealing it.
Existing data leaks and cloud leaks, when discovered by cybercriminals, can be exploited to cause data breaches, examples of famous data breaches include LinkedIn, MyFitnessPal, and Yahoo.
This is a scary concept as there is little we can do to prevent data from being leaked by companies. We can take responsibility for our own security by ensuring good password hygiene and making sure that hackers can not get far with any data they get their hands on.
While it’s tempting to dismiss the threats associated with cybersecurity, you need to take this seriously and protect your accounts by changing passwords, using a virtual cyber assistant for secure authentication, and implementing additional security measures, such as two-factor authentication and biometric authentication.
You may wonder why a hacker would even be interested in your login credentials for a seemingly insignificant account. Well, it may end up being much more than that.
A single leaked password can have far-reaching consequences in your private and professional life. Data from one site could lead hackers directly to the accounts which you consider important.
Once hackers know one password combination you use, they can use software to generate and try thousands of variations - granting them access into areas of your life that you would rather keep private.
Stolen passwords are extremely valuable on the dark web. Once your password has been breached, you’re more vulnerable to further cyber crimes like identity theft or fraud.
Recognizing a Leaked Password
These days, you’re likely to know about it if your password is leaked. If your data is involved in a major leak, the organization is legally required to inform users about the incident.
The organization will likely post ongoing updates about the situation. Some companies may leverage a text message service for businesses, be in touch via phone or email, or post on social media. Additionally, you may receive alerts from web browsers, password managers, and Google, or Apple notifications.
You can also check the security status of all your saved passwords by heading to Google’s Password Manager and accessing the Password Checkup.
This feature not only lets you know if a password has been compromised but also highlights other weak areas demanding your immediate attention. We’ll go into more detail about unique password creation later in this article.
You can also sometimes check the pwned passwords search engine, telling you if your password was previously exposed in a data breach. Keep in mind that if it has only just been leaked, it may not yet appear in the database.
Once you’ve been made aware of the leak, stay vigilant! Keep an eye on your account, which suffered the breach, but also be on the lookout for suspicious activity across the board. Pay especially close attention to your bank account and credit score.
Immediate Actions After a Password Leak
Time is on your side if you act fast. It takes time for the original hacker to sell your stolen credentials and even more time for another cybercriminal to use that data. Follow the steps below to protect yourself against the potential damage.
Change Your Password
Once you realize your password has been leaked, the first thing to do is change it before anyone can take advantage of the information. You can change your password using a password generator for powerful passwords which are resistant to brute-force and dictionary attacks.
If you know which account was to blame for the breach, log out as soon as you can, head to settings, and change to a strong password. If this is not possible for any reason, phone the company and ask to freeze the account.
Now that this password has been compromised, it cannot be used again. Some sites may recognize the leaked login credentials and prompt you to pick something else, but you also need to remain vigilant and not repeat passwords on different websites.
Change All Weak Passwords
Think about other places where you might have used that password. None of them are safe. It is estimated that weak passwords account for over 80% of data breaches.
Using the same password across multiple accounts is dangerous because when one is compromised, they all are.
After changing the originally affected password, work down the list on Google’s password checkup page.
You need to generate a strong and unique password for every account you use. Variations of the same password - especially the leaked one - will not cut it.
Go through your saved passwords and make sure they’re difficult to crack. If your old password was ‘password’, then ‘password1’ or even ‘password1!’ are poor replacements - and will not provide much of an obstacle to hackers.
The easiest way to manage this is to use a password tracker, which can generate complex strings of characters and then remember them for you so you can log in to your accounts securely.
Another option to create a stronger security measure for your account is creating a passphrase. When it comes to choosing between a password vs passphrase, both can be secure, but generally passphrases are preferred as they can be easier to remember, longer, and more difficult for hackers to guess.
Log Out on All Devices
Don’t let hackers squat in your accounts.
Apps and sites do not always kick users out automatically after changing the password. This feature is convenient for daily use, as it saves you from having to re-login every time. In this case, it’s a hindrance. Unwanted users can stay logged in indefinitely, even though the password has changed.
Luckily, you can force them out yourself. Many sites have the option to log off on all devices, ridding you of anyone who signed in with the old password. You may be familiar with the concept if you have ever changed the password and logged off of all devices to get rid of squatters using your Netflix account for free.
In Meta’s account center, for example, you can see where your Facebook account is logged in and sign out from those devices. Once you’ve changed your password, hackers will not be able to log back in.
Check Third-Party Apps
Even after you've changed your password and logged out on all devices you can still be caught out by third-party apps. These types of utilities may be providing hackers with a route into your accounts, and before you have noticed, it could be too late.
It is easy enough to disconnect these apps from your accounts. On Twitter, go to the Connected Apps page to see every app with access to your account. For each entry in the list, simply click ‘revoke app permissions’ to eliminate the threat.
On Facebook, go to the Apps and websites age. Click ‘view and edit’ to see the permissions granted to a particular third-party app, and ‘remove’ to disconnect it from your account.
While you’re thinking about which apps can access your data, check out our list of the least invasive phone apps for maximum security.
Set up Fraud Alerts for Your Credit
For the sake of your own cyber safety, assume the worst. Even if it was only a trivial account that got hacked, there’s nothing to be lost by being extra vigilant.
If there are any transactions you don’t recognize, call your bank immediately and let them know that some of your data has been breached.
If you do suspect foul play, go ahead and set up a credit freeze or fraud alert. This will make it difficult for a criminal to make any future credit applications in your name.
Tightening security might mean there are extra steps to take next time you need to apply for a loan or open an account. This is worth it, as imposters will be subject to the same scrutiny if they take any action.
Securing Your Accounts After a Password Leak
While it isn’t possible to 100% guarantee that you’ll never go through this again, you can still learn from the experience. Having used the steps above to minimize the damage this time round, take a look at the tips below to make it harder for a hacker to infiltrate your accounts again.
Improve Your Password Hygiene
You should already have changed the affected password and all its spinoffs. Going forward, however, you need to assess your overall approach to password hygiene.
Make sure that you’re regularly changing your passwords. This means coming up with something unique every time - never reusing old passwords or variations of them.
Don’t cycle through passwords either. Cybercriminals know that many users bring old passwords back into rotation, and may bide their time. If your old password is on the Dark Web, it can never be used again.
The difficulty is that you need to create something impossible for a hacker to guess - but you also need to remember it. There are only so many significant strings of words and numbers that you can memorize by heart.
The solution: use a password manager to generate a unique password and store it for you. Entrusting this kind of software is much safer than trusting your own memory, or worse, writing all of your passwords down.
Implement Additional Security Measures
Having a strong password is foundational to cyber security. However, technology has advanced in ways to attempt to crack even the strongest passwords. Fortunately, there are more ways of securing and entering your accounts.
In banking, for example, the introduction of multi-factor authentication (MFA) and Interactive Voice Response (IVR) are helping to reduce fraud cases. How does IVR work? Used well, IVR automation makes phone calls more secure, even potentially eliminating the need for customers to speak their details out loud.
In your personal accounts, it’s a good idea to make use of two-factor authentication (2FA) and/or biometric authentication like Apple Face ID.
You may have noticed that two-factor or two-step verification has become more commonplace. It means that as well as a username and password, you also need a code generated by your phone to sign into an account.
As irritating as it can be when you’re rushing to get into an account on your laptop and you don’t have your phone to hand - this extra layer of security is worth having. Expert recommendations could not be clearer: everywhere that 2FA is available, switch it on.
If one of your passwords is leaked but 2FA is enabled, a hacker cannot get into the account in question.
You may also want to make use of biometrics - i.e., fingerprint scanners or facial recognition tools.
To add one more layer of protection, quickly review your security questions and make sure that they’re not easily guessable. This applies, especially if you’re in the habit of commenting on public Facebook posts. Check our list of funny but sad cybersecurity memes to make sure you don’t end up a cautionary tale.
Educate Yourself on the Risks
Your data is out there. While you can’t take it back, you can gain awareness of the techniques and attacks to look out for. Read up on common attack vectors, such as email phishing scams and malware-infected pop-ups. Knowledge is power. Take your online safety into your own hands.
Password Leak Protection
You’ve reached the end - breathe a sigh of relief.
Having your privacy infringed upon is scary - it feels like a violation. But by following the immediate action steps (changing passwords, contacting banks, logging out all devices and third-party apps) you should be able to keep the fallout to a minimum.
While the worst is (hopefully) over, you still need to adopt good security practices, stay informed about emerging threats, and be vigilant.
Thinking about online threats can be overwhelming, but you take control of the situation by reviewing your security details.
Don’t let the fear of cyber attacks hang over your head. Dive in, find the weak spots, and adapt. Strong, regularly changed passwords are key. Again, using a password manager is highly recommended.
If you are unfortunate enough to find yourself in this situation again, be prepared with the knowledge and the tools to act quickly and calmly.