A huge unsecured credential database discovery is a great reminder to change your passwords

Today's report by security expert Jeremiah Fowler of a massive unsecured database full of usernames and passwords shouldn't necessarily frighten you, but it should spur you to action. If you have any weak passwords protecting accounts with sensitive information, or if you've reused the same password — however strong — on multiple accounts, now would be an excellent time to change them and set up two-factor authentication.

Fowler reported on Website Planet that the database, which he found unlocked and without any encryption on an anonymously registered server, contained a little over 184 million records. These included usernames, emails, passwords, and direct links to the URLs for logging into the relevant accounts. While Fowler was able to get the hosting provider to lock the server, he couldn't find any hard evidence about who compiled the database, nor whether they had used or shared the information.

There are a couple of reasons not to panic here. 184 million records exposed doesn't mean 184 million people exposed — it's just the number of rows in the database. If the info was gathered through malware, as Fowler believes, it's likely to have gathered multiple records from every infected device. That's obviously still bad, but fewer people have been affected than it may seem from the number alone.

The database also contained no information that could be used for two-factor authentication, so anyone with a second factor set up has much less reason to worry. Don't forget, though, that one weakly secured account is a liability to the others. For example, a hacker could gain access to your email, then use that access to break through 2FA on your bank account.

The potential consequences of having your password stolen are severe enough that it's worth taking common-sense steps. Since the database wasn't leaked on any of the usual dark web sources, its data likely won't show up on breach checkers like HaveIBeenPwned. However, Fowler did share with Wired reporters that he tested a sample of 10,000 fields in the database, and found passwords to the following platforms:

• Facebook

• Google

• Instagram

• Roblox

• Discord

• Microsoft

• Netflix

• PayPal

• Amazon

• Apple

• Nintendo

• Snapchat

• Spotify

• Twitter

• WordPress

• Yahoo

• Online banks

• Online wallets

• Healthcare web apps

• Government employee accounts

If you have an account on any of those platforms without two-factor authentication, we recommend changing your password and setting up 2FA as soon as possible. Pay special attention to platforms like Roblox and Nintendo where your kids might have set up their own accounts and not bothered with 2FA. As Fowler points out in his blog post, even seemingly innocuous accounts might have personal information lying around.

This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/a-huge-unsecured-credential-database-discovery-is-a-great-reminder-to-change-your-passwords-210537400.html?src=rss https://www.engadget.com/cybersecurity/a-huge-unsecured-credential-database-discovery-is-a-great-reminder-to-change-your-passwords-210537400.html?src=rss