News.com.au today published an article encouraging people to change their email passwords. The article begins “The email addresses and passwords of 771 million people have been published online during a gigantic data leak”. This is not exactly correct. What has happened is that login information from various companies has been hacked into over the years, and it seems that some of that has been published in a massive document recently. This includes people’s login details from companies like Adobe, Dropbox, Kickstarter and more.
So it is not your email password that has been leaked, it is your login email address and password for those websites. Read on to find out if your email address was involved.
To see if you email address is involved, https://haveibeenpwned.com is a handy site. You simply type in your email address and it will tell you if your email address has been leaked from any of the companies that have been hacked.
I entered my email address only to find that I have been involved in 8 hacks:
The website will then go on to list the various attempts and give a little explanation of each one. My email address and login for dropbox were leaked in 2012, but at that time dropbox notified all the users to change their password.
Apparently Adobe was hacked in 2013. They did not notify their customers about this and I was still using my original login details that had been hacked. My account was been vulnerable for 4 years!
Let me explain the difference between your login details being hacked and your email password being hacked.
Let’s pretend that you have an email address with Google, your email address is ’email@example.com’ and your password is ‘doggy’.
Now let’s say you later signed up for dropbox. Dropbox would have asked you for an email address and a password. It is the most basic rule of passwords that you create a different password for each login, so for dropbox you might use the email address ’firstname.lastname@example.org’ and create a different password e.g. ‘cat’.
When dropbox was hacked in 2012, the hackers would have obtained your email address ’email@example.com’ as well as your dropbox password ‘cat’. You would have then received an email from dropbox asking you to change your dropbox password and you should have changed it, for example to ‘rabbit’.
As you can see, the hackers have not obtained your Gmail password ‘doggy’ because Gmail was never hacked. It was only your dropbox login details that were hacked. At this point he news.com article that your email address and password was hacked is slightly misleading.
Let’s say you are lazy and you decide to use the same password for everything. You use “doggy” for your Gmail account and you use the same password “doggy” for dropbox. When dropbox was hacked the hackers would have obtained the password “doggy” which is also your gmail password!
The problem with this scenario is that the hackers now have your email password “doggy”. The hackers could use this password “doggy” to log into your Gmail account.
Dropbox would have told you to change your password and you could have changed it, for example to “rabbit”, but your gmail account is still vulnerable. That’s why you would need to change your email password.
It is extremely important to make sure you use a different password for every online account that you have.
It is extremely important to make sure you use a different password for every online account that you have. This can get a little hard to manage. I have 854 passwords. That is why I like to use a password manager called 1Password. I have an article about it here.
Back in 2008 I wrote this post about how important it is to have a good password manager. A Password manager automatically generates a different password for every website that you use, and it remembers all those passwords for you. I recommend 1Password even though it costs $49. Safari has a built in password manager, but 1Password will work across different browsers like chrome as well.
Another feature of 1Password is that it all alerts you to any websites who have had their passwords leaked so that you can change my login details.
So (1) never use the same password for two different websites, and (2) a password manager will help you to do this.