What To Do When Your Password is Leaked in a Data Breach 


Data Breach
AdobeStock 398445352

Don’t feel bad if your password is leaked in a data breach. Data breaches are a common occurrence, and the average cost of a data breach among companies surveyed in 2021 reached $4.24 million per incident. Both MSPs and their clients are vulnerable to these breaches. The most popular methods of carrying out such cyberattacks: exploiting poor password hygiene. 

Every time someone creates an online account, they put their personal data in the hands of strangers. We all hope that these companies are taking proper security measures and keeping our data safe. However, there’s little we can do to ensure that’s happening. What we can do is take steps toward better security on our side of the equation. This means practicing proper password hygiene and responding appropriately if your password is leaked in a data breach or pops up on the Dark Web.  

What’s the best course of action when these things happen? There’s a good chance you’ve already received a notice at some point. Perhaps from an online store, a medical provider, or a social media network? The notice informs you that your login credentials have been compromised during a cyberattack or your password is leaked in a data breach. The usual recommendation is that you should immediately change your account password. One factor working in your favor is that it often takes time for one hacker to sell the stolen credentials and another to start using that data to try to break into the accounts.  

Limit Exposure to Risk

Why do they go through all this trouble? Because your stolen passwords potentially open the door to your personal and work accounts. This makes them extremely valuable on the black market. Because so many people are careless with their passwords, even login data from a mundane website could give hackers a direct path into more important accounts. All they need to do is try your known password (and thousands of permutations generated by software) across your accounts. This method works so well that exploiting weak passwords is now the leading tactic of cyberattack by a wide margin.  

Over 80% of data breaches are due to poor password security. (Source: ID Agent

What can you do to limit your exposure to this risk? Let’s take a detailed look at how cybersecurity experts recommend responding when a password is leaked in a data breach. 

How to Respond When a Password is Leaked in a Data Breach

We mentioned earlier that time can be on your side — but this is only true if the password compromise is found early. The longer stolen data is floating around the dark web, the greater chance that it has already been used. It can take months to discover a data breach. Meaning that hackers often have plenty of time to play around with stolen passwords before anyone even realizes what’s happened. 

While acting quickly is important, it’s also critical to maintain good password hygiene before a breach happens. We’ll discuss this further as we move through these response steps.  

Change the Password Immediately 

As soon as you find out that your credentials may have been stolen, you have to snap into action. Hackers can quickly use software and bots to compare the stolen login and password against thousands of common websites and apps. If your stolen password has been reused on other accounts, you can bet that will be one of the first things they discover.  

This is why experts recommend using complex passwords that are unique for every account. You can eliminate a great deal of personal cyber risk just by using a password management tool that generates these unique, complex passwords for you (more to come on this).   

Change All Variations of a Compromised Password 

There’s an old joke about required password changes. Someone with their password set as “password” was told they needed to add a number. So they changed it to “password1”. Then they were told they needed to add a special character, so they changed it to “password1!”. 

Told in the right context, this is kind of funny. But what isn’t funny is that millions of people actually use this method to create their passwords. Yeah, there are a lot of online accounts with the password set as “password1!”. However, this is so easy to brute force that there might as well not be a password at all.  

When people are advised to change their passwords, they worry about forgetting the new password. Since this is an honest concern, most users will simply change a character or two on their old password. Cybercriminals know and exploit this fact regularly. Using cracking software, they can take just a few characters of a compromised password and quickly figure out the rest of it, even if it was recently changed.  

To make uncrackable passwords, never reuse old passwords or variations of them. And don’t cycle through passwords over time, as cybercriminals know users often bring old passwords out of retirement. They will run that password through their system for years just waiting for it to make it back into your rotation. 

Get and Share Information About the Breach 

We mentioned breach notifications earlier in this article. If you’re really fortunate, you may have never seen such a notification for yourself. The protocol for these notices differ from company to company, but the idea is the same: 

If your data is involved in a major data breach, the victim organization will likely post ongoing updates and disclosures about which customers were affected. (In some cases, government regulations require them to do so.)  

The notification will generally include guidance on what you should do next. You can expect “change your password” to be top of the list. Although, some notices may involve advice about medical records, credit history, etc. depending on the nature of the breach.  

Take these notifications seriously, even if the breach hasn’t affected an account that you consider high-priority. Remember, one leaked password creates ripples that can easily reach accounts that you consider more important.  

Being part of an organization or responsible for IT, you may have a bigger role in sharing information about a breach and helping stakeholders secure their accounts. If you discover the credentials that have been compromised are work-related, it’s critical to ensure that compromised passwords aren’t tied to internal network and data. If it is, it must be reported so those systems can be protected. You may decide to force a password reset throughout the company and require all staff members to use complex, unique passwords. It’s absolutely critical at this juncture to ensure no one reuses an old password or a permutation thereof.  

Enable Two-Factor Authentication 

Expert recommendations on 2FA are now very clear: use it anywhere that it’s available. 2FA creates another identification method on accounts that make it very difficult, if not impossible, to gain access to accounts simply by getting hold of their passwords.  

Even if a hacker gains access to someone’s credentials, they won’t be able to access the associated account unless they can pass the second factor of authentication. 2FA usually pushes one-time secret codes to the user’s cell phone. This adds a very difficult to beat step to the process of accessing your account.  

Watch Account Activity and Check Credit Reports  

Vigilance falls upon you, the end user, after a data breach. You will need to monitor your account at the service/company that suffered the breach, as well as your bank account and other financial accounts for suspicious activity. It’s also wise to check your credit score and look for unauthorized accounts created in your name. 

Freeze your credit 

As a preventative measure, you can freeze your credit if there’s any possibility of foul play. Simply contact each of the three credit bureaus (Equifax, Experian, and TransUnion) and request to freeze your credit so that no new credit accounts can be opened in your name. You can reverse this request at any time, and freezing your credit doesn’t cost anything.  

Obviously, this measure prevents you from applying for new credit as well.  

Implement a Password Manager 

When it comes to password hygiene and protecting your identity, a password manager is one of the best tools on the market.  

Password managers like Password Boss can auto-generate long, complex passwords that are nearly impossible to hack – and it’s extremely easy to create unique passwords for every account.  

If you’re concerned about security within your organization or business, your staff should be required to use password managers, particularly on their work-related accounts. This will help address the common problem where an employee’s work passwords are the same as their personal passwords and a simple breach leads to your business’ data being compromised. The added benefit is that your employees can use the password manager for their personal accounts as well, thereby making them more secure all around. 

Data breach statistics are not shrinking by any means. With each new attack, the number of compromised users increases exponentially. This means millions of viable (but weak) passwords are on the Dark Web just waiting to unlock access to a victim’s private, work, and financial data.  

Good password hygiene and awareness are important when it comes to avoiding the increasing threat. Password managers are important tools — for individuals, enterprises, and IT providers alike — that help make password security easier, faster, and hassle-free.  

Considering a Password Management Solution at your MSP?  

  • Built-In Dark Web Monitoring Feature 
  • Strong Password Generator 
  • VAR / Reseller Program 
  • MSP Management Portal 
  • Integration with Many MSP Tools 
  • A High Margin, Profitable Option for MSPs