Over 2 Billion Stolen Emails and Passwords Surface Online

Exposure of hacked accounts far greater than initially thought. How to protect yourself.

data Matt Anderson Photography

Nearly 2.2 billion stolen emails and passwords have surfaced online for criminals to access, according to a German research group, exposing far more accounts than originally thought.

Initially, almost 773 million accounts were thought to have been exposed online, according to Australian researcher Troy Hunt.

But researchers from Germany’s Hasso Plattner Institute now say they’ve found four more batches of account information—all accessible for criminals to download. The discovery was first reported by German tech website Heise.de and later by Wired.

More on Data Security

The information doesn’t appear to stem from a massive new data breach. It’s more likely to be an aggregation of consumer information stolen over the years from companies such as Yahoo, LinkedIn, and Dropbox.

To determine whether an email address or password has been compromised by these latest data dumps, consumers can consult the Identity Leak Checker provided by the Hasso Plattner Institute or Hunt's Have I Been Pwned? site.

It’s the "enormous" size of the data set and the fact that it’s packaged in a full-service list that makes this latest security threat noteworthy, says Emily Wilson, vice-president of research for the cybersecurity firm Terbium Labs.

Though the passwords may be outdated for Yahoo or LinkedIn accounts, hackers can still try to use them to access consumers' other accounts.

“If your Twitter password is compromised and you change it, but you’re still using the same password on your bank account, that’s a problem,” Wilson explains.

The stolen email addresses are valuable for use in phishing attacks.

According to Brian Vecci, field chief technology officer for the data security firm Varonis, huge data sets like this are also useful for machine learning, making it possible to study password patterns and develop stronger cyber attacks.

“Enterprising scientists can probably learn a lot with this data set," he says. "The same is true for attackers.”

Tips for Keeping Your Data Safe

“Consumers need to be protecting their accounts proactively," says Wilson, "in the same way they secure their homes and vehicles.”

Here are some tips for doing that.

Use better passwords. Great passwords go a long way toward protecting your information. Long, random sets of uppercase letters, lowercase letters, and special characters are best. And don’t use the same password for multiple accounts.

Vecci notes that a password manager can take the heavy lifting out of this admittedly daunting task.

Turn on 2FA. Make sure you’ve enabled multi-factor authentication, also known as two-factor authentication, on your accounts. This requires you to enter a second form of identification—such as a code texted to your phone—in addition to your password, before accessing your account.

That will go a long way toward keeping cybercriminals out, even if your password shows up in a dark web data dump.

Guard your info. Make sure that your social media posts are restricted to people you actually know. Facebook has a privacy checkup tool to help with this. And always think before you post. Private information has a way of becoming public.

And if you have an online account that you no longer use (remember MySpace?), delete it.

Perform those software updates. This isn’t important for just your laptops and smartphones but also your router and any “internet of things” device connected to it. Known security flaws that have not been patched give hackers easy access to your network.

One good way to cover all your bases is to use an antivirus program and keep it updated. There are great AV packages out there—both free and paid—that cover traditional computers and mobile devices, too. For more info on those, Consumer Reports members can check out our full ratings.

Passing the Password Test

What's your password strategy when it comes to protecting your online accounts? On the "Consumer 101" TV show, a Consumer Reports expert explains what you need to know about password managers.

Bree Fowler

Bree Fowler

I write about all things "cyber" and your right to privacy. Before joining Consumer Reports, I spent 16 years reporting for The Associated Press. What I enjoy: cooking and learning to code with my kids. I've lived in the Bronx for more than a decade, but as a proud Michigan native, I will always be a die-hard Detroit Tigers fan no matter how much my family and I get harassed at Yankee Stadium. Follow me on Twitter (@BreeJFowler).