A firm called Hold Security has announced their discovery that a single hacker group holds over a billion user credentials (usernames/passwords). “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security told the New York Times. “And most of these sites are still vulnerable.”
Many of us have experienced our credentials being hijacked - or have received emails or social media communications from someone we know to whom this has happened. Typically, the ability to access email accounts simply allows the hacker to spam contact lists to phish them or to advertise products - which they make money doing. If your account is hijacked in this way, it is a matter of resetting your account credentials with a new username and password. After doing so, you're only as safe as your credentials an no less vulnerable to the same attack the next time the threat comes around. Access to even seemingly benign credentials can open the door to much more serious risks, like identity theft which can take years to untangle and liability for financial transactions that can take place under these circumstances (most banks protect from this kind of fraud on credit cards, but if the hackers reaches your cash, it's a different story).
If your credentials are in a database like the one Hold Security identified, it doesn't matter how secure your password is (length, varied characters, etc). You'll be advised by well meaning companies you deal with, who will contact you after discovering the breach, to change your password - a process with which by now we are all familiar.
But what's really needed here is a deeper collective understanding of our digital identities, and better ways to protect them. 2 Factor authentication (which has been recently discussed previously here, here and here in this blog) is a good way to start taking control of your credentials - so that a username and password alone are not enough to compromise you, but often the impact on user experience (waiting a bit longer to access your favorite site, carrying around a piece of hardware that's easy to lose and expensive to replace) hinders adoption by both end user populations and organizations.
If a hacker has your password, you should think about how many more times you want to go through this, because this won't be the last time, unless and until we collectively commit to better security.