In early January this year, it was reported that a dataset including the leaked credentials of over 71 MILLION unique passwords was spotted available for purchase on the dark web. 

That in itself isn't unusual, big lists show up all the time, but they are usually mostly repackaged information that has been circulating for a while.  This one was different - not only was it huge, over a third of the information was new.

Later that month, a leak SO HUGE, researchers called it the Mother of All Breaches, released 26 BILLION records.

These records included logins from a wide range of popular websites, including Twitter, LinkedIn, Adobe,

Canva, Evite, AdultFriendFinder and dozens more.   Compare that to one researcher's data leak checker, which contained records from all the biggest leaks - and only totaled 15 billion records.

Now just a few months later, another huge breach was detected, this one leaking 10 BILLION unique passwords.

Threat actors can use all that data for a wide range of attacks, starting with credential stuffing, where attackers use leaked credentials to gain access - either through passwords that haven't been changed yet, or by trying the same password sets against lots of different sites - in the hopes that that person reused that password for other accounts. Other possible attacks could include identity theft, targeted phishing schemes, and other sophisticated cyberattacks.

So what can you do???

The first step is knowing that at these leaks exist, and that you probably have one or more affected accounts.

The next step is doing something about it. Frankly, every solution is kind of a pain in the butt.

But it is so important to do it, and keep doing it, to try to stay ahead of the attackers.

Have I Been Pwned? https://haveibeenpwned.com/  is a free online tool you can use to check if your email or password has been part of a breach.  You can also have the site notify you if your email shows up in a future breach. While it is not a complete catalog of every breach ever, it is one of the oldest, best, easiest tools you can use. As they say in their FAQ, "Whilst HIBP is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and indeed many breaches even go entirely undetected. "Absence of evidence is not evidence of absence" or in other words, just because your email address wasn't found here doesn't mean that is hasn't been compromised in another breach."

Use a Password Vault to Create and Remember New, Difficult Passwords: A password vault like 1Password, Keeper, or even Apple's iCloud can set and recall unique, long, hard-to-crack passwords for you.  Most browsers will do this to some extent also, but may not be as secure. Some services include leak checking, and some will prompt you to reset aging passwords regularly. Do your research and choose the right vault for you.

Use MFA if Possible: MFA (multi-factor authorization) uses a secondary method to verify if every login is indeed coming from you. It usually uses something you own, like a text or app on your phone, or a special key, to add a second layer of protection.  MFA will stop all but the most persistent attacks in their tracks. Read more about MFA here.

Change your Passwords: If one of your accounts appears on a list of leaks, CHANGE THAT PASSWORD IMMEDIATELY.  Then change the passwords on any accounts using the same or similar passwords.  Absolutely DO NOT just add a 1 to the end of the old password - come up with something completely new. See this blog post for tips on creating good passwords (or get a vault as previously suggested.) If you tend to reuse similar passwords, or your passwords are several years old - it might be a good idea to go ahead and change all your passwords.  I did mention this would be a pain in the butt.  It's worth it, I promise.

Great! Now Do it Again: If only this was a one-and done thing, it would be nice, but breaches happen continually.  Set a reminder on your calendar to check haveibeenpwned.com once a month, and/or to change any aging or sensitive passwords (such as for bank accounts) at that time also.