Yesterday evening, the New York Times posted an article claiming Russian hackers are in possession of “the largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and more than 500 million email addresses.”
The massive amount of data supposedly comes from a variety of hacked websites, large and small, ranging from Fortune 500 companies to personal sites. It was retrieved by a hacker group that Hold Security – a security firm in contact with the group – has dubbed the CyberVors.
There are a lot of questions that beg answers from the reports of this breach, but one thing remains true: the value in a stolen password comes from whether or not you reuse it on sites that are of value.
The most important thing you can do to protect yourself from large scale data breaches, now or any day, is to make sure you’re using unique passwords for all your accounts. This is especially true for your Dashlane Master Password, which should always be unique to Dashlane.
Dashlane makes it incredibly easy to know and fix reused passwords. Check for reused passwords in your Security Dashboard, and rid your digital life of them once and for all by randomly generating strong, throwaway passwords. (Dashlane could not make this easier.)
The sites among the 420,000 that were supposedly hit by the CyberVors are unknown, so no one can tell you which ones you need to reset. In this scenario, our advice is as follows:
- Start by resetting the passwords of the accounts that are most important to you: email accounts, financial accounts, etc.
- Then, move on to your personal accounts, such as social media accounts (which are often used to log in elsewhere and hold a lot of your personal information) or sites that are personal to you (Flickr, WordPress, etc.).
- Once the coast is clear, rinse and repeat.
As for your Dashlane Master Password and the data that you keep encrypted in Dashlane -it’s safe there. Your Master Password is never transmitted, and your data is always locally ciphered using AES-256 encryption before it’s transmitted.
We’ll be sure to keep you updated about this breach, and we’re thankful for those of you who trust your data in Dashlane. We hope you’re equally as glad that we’re looking out, and that you’ll share Dashlane with your friends, colleagues, and family members and encourage them to break some of the bad password habits that hackers benefit from.
Update: Kashmir Hill, senior online editor at Forbes, followed up on this story with some important info as to the nature of this story breaking. There are a lot of questions that still need answers – when were these stolen credentials amassed (i.e., the past 5 months or the past 5 years); how is Hold Security able to check against this list of credentials without being in possession of them, and if they have them, how exactly did they get them; what’s the nature of their relationship with the CyberVors, etc. Before handing over personal info to anyone – such as, your email, encrypted password and credit card number – it’s important to have all the info.