On February 25, 2014, Hold Security, LLC announced that it had discovered almost 360 million stolen account credentials including email addresses and passwords and 1.25 billion records solely containing email addresses in just the first three weeks of February.
The massive discovery is a result of multiple data breaches that Hold Security, LLC is currently investigating. Hold Security, LLC believes the credentials stolen were likely stolen in breaches not yet publicly reported and the breached entities may not know that their customers’ information has been compromised yet.
What is different about this data breach is that these records contain email account credentials, or usernames and passwords. This doesn’t sound quite as dangerous as, say, the Target breach because the Target breach contained payment card data. The compromise of payment card data is certainly dangerous and has a lot of potential to cause damage to victims; however, email account credentials can be just as dangerous if not more so.
First, the email usernames and passwords can obviously be used to access the actual email accounts themselves. This is an unsettling consequence of the data breach and poses significant harm to the victims because email accounts generally have copious amounts of sensitive personal information. Think about what is stored in your email account. Think about how long you may have had this email account. How many times did you email financial documents, work documents, tax documents, private pictures, reminders of passwords to other accounts, bank information and more? Just the email account itself can be a treasure trove of sensitive personal information to an identity thief who knows how to abuse it.
Second, we are all guilty of recycling a password, using it across multiple accounts so it is easy to remember. Identity thieves know this, and will use the passwords found by Hold Security, LLC to attempt to gain access to other accounts the victim has created. These could be bank accounts, retirement accounts, eBay accounts, PayPal accounts, and a multitude of online shopping accounts. This kind of widespread account access would be devastating to a victim.
Third, the account credentials can be used for spam and other phishing scams. A phishing scam is when a thief sends an official looking email from a business or individual, requesting that the recipient either divulge sensitive personal information or click on a link that loads a virus onto their computer or smartphone. Phishing is a very common tactic used by identity thieves and is listed as one of the top scams of the year by the IRS.
We are bringing this information to your attention to remind everyone that it is not just your Social Security Number that is valuable to identity thieves. You must take a comprehensive approach to protecting yourself. This means that you are vigilant about protecting all your data, including your mail, Social Security Number, medical insurance card, account usernames and passwords, passports, financial documents, tax documents, medical records and the list goes on. You must cast a critical eye on all sources of information about yourself and constantly destroy anything that is not absolutely necessary. Cross-cut shred all unneeded paper documents, delete any electronic information, and safely store any sensitive personal information that you absolutely can’t do without and you will be well on your way to being one step ahead of identity thieves.
"Hold Security, LLC Discovers Massive List of Stolen Credentials" was written by Matt Davis. Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.