560 million more passwords were exposed — was yours? – CNET

As if ransomware like WannaCry wasn’t enough to keep you up at night, there’s another password breach to worry about.

Well, sort of — security research center MacKeeper reported today that a massive database of stolen passwords has surfaced online. And while this database is composed largely of passwords from a variety of sources, many of them years old, its newfound accessibility — and conglomeration into a single collection — is cause for concern.

It’s also cause for action. Although “online safety” feels increasingly like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur.

Improve your passwords

The most secure password in the world is useless if a hacker steals it, but it becomes much less useful if it’s not the same password you use for every single log-in.

In other words, it’s essential that you employ a different password everywhere you conduct online affairs. And the only effective way to do that is with a password manager, which can generate and manage unique, robust passwords for all your sites and services.


Dashlane can automatically change your passwords, a huge time-saver and a great way to get ahead of security breaches.

Screenshot by Rick Broida/CNET

Of course, even password managers aren’t infallible, as LastPass users discovered last month. That’s why you should change passwords regularly — a potentially daunting task unless your password manager can perform it automatically. Dashlane and LastPass are among the handful that offer this handy feature.

Find out if you’re compromised

The aforementioned database contains some 560 million passwords. Want to know if yours are in there somewhere? Head to Have I Been Pwned, which checks to see if your email address appears in any database that’s been compromised.


The aptly named “Have I Been Pwned?” lets you know if your email address appears in a compromised database.

Screenshot by Rick Broida/CNET

If it does, don’t panic: Remember that many of the sources in that database are years old. For example, one of my email addresses was indeed “pwned,” but it was in the Dropbox breach of 2012 — and I’ve long since changed my password there.

Of course, it certainly wouldn’t hurt to change the password on any site(s) detected here. (Pro tip: Click Notify me when I get pwned so you can be informed if and when your email appears in the next breach.)

Enable two-step verification

Short of a fingerprint reader, two-step verification (aka two-step authorization) may be the single best way to protect online accounts. Most commonly, the second of the two steps (the first being entering your password) involves entering a code delivered on-demand to your phone. Even if a hacker has your password, he doesn’t have your phone, and therefore shouldn’t be able to bypass that second step.

Of course, this requires you to have your phone close at hand and able to receive text messages (or, if you use an authorization app instead, data connectivity). It’s also an extra hassle.

Want to learn more? Read Matt Elliott’s Two factor-authentication: How and why to use it.

Delete old accounts

Remember AOL? Perhaps you had an account at one time, but haven’t touched it in months or even years. If it’s still active, and a hacker manages to break in, that still puts you at considerable risk. You might have all kinds of personal information stored there, to say nothing of photos and other media that should be kept private.

Thus, take some time to delete old, unused accounts. This is another way a password manager comes in handy: When it first imports all your passwords, you can see a full list of every account you have. Then it’s a matter of working your way through them and determining which ones you want to deactivate.

Alas, you’ll have to manually visit each site in turn and figure out how to actually delete your account. For help, turn to JustDelete.me, which provides direct links to the cancellation pages of hundreds of services.

Leave a Reply

Your email address will not be published. Required fields are marked *