We've been hearing from a lot of folks who are concerned about the recent reports that a crime organization in Russia has stolen somewhere in the neighborhood of 1.2 billion (yes, billion) email account credentials. We're concerned too, which is why we continue to monitor the situation as it develops.
For now though, here are a few notes on what this means for ordinary users:
- Is it possible that your credentials have been stolen? Yes, it's possible. It's hard to say how likely, though, since information about exactly which websites were compromised hasn't surfaced, and may not surface.
- What does that mean? Experts, such as security gurus like Brian Krebs, agree that the most likely use of the stolen credentials is spam--the criminals will use the addresses and passwords to send spam messages to victims' contacts.
- What can you do about it? While we don't see an immediate need for every user to go out and change every password right this second, this kind of breach does highlight the need for password security best practices, as Krebs and our friends at Peak 10 have highlighted. Make sure all of your account passwords are strong (here's a guide for how to do this). Make sure you change your passwords often. And avoid using the same password for every service to which you need to log in. If you're using the same password for your Amazon account that you do for your Gmail account, that gives hackers who happen to steal one of those two a lot more access that you don't want them to have.
Feel free to reach out with any questions. We will update the blog if there are any new developments. But, for now, use this as an opportunity to think about the way you create and manage passwords.