773 Million Consumer Accounts Had Email and Passwords Exposed

Data was briefly posted on hacking website. Here's how to protect yourself.

data Matt Anderson Photography

Almost 773 million consumer accounts worldwide had email addresses and passwords posted on a hacking website, making their social media and financial accounts vulnerable to cybercriminals.

The personal information, which came from previous security breaches at numerous websites, has since been removed. But it's a reminder that consumers should regularly change passwords for their email, social media, online banking, credit card and other important accounts. (Other protective measures are outlined below).

"In general, you should always assume there's a strong chance that any account-password combo you have could be compromised," says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports. "So you should act accordingly."

More about Data Breaches
Stopping the Data Breach Epidemic
Facebook Breach Exposed Personal Data of Millions of Users
Marriott Data Breach Affects Up to 500 Million Hotel Guests
Don't Let Equifax Put Americans At Risk Again

Australian security researcher Troy Hunt discovered the consumer files on the cloud service MEGA. "It's made up of many different individual data breaches from literally thousands of different sources," he explained on his website.

Hunt maintains the site Have I Been Pwned, which allows consumers to determine whether their email addresses or passwords have been compromised. You can check there to see if your information was included in this latest data dump.

While attempts to aggregate information from previous data breaches are not uncommon, this one, originally reported by Wired, is remarkable for its sheer size. It's one of the biggest dumps ever of consumer data, surpassed only by two earlier data breaches from Yahoo, which compromised more than 1 billion accounts.

"The sheer volume of data is striking, but a lot, if not all, of this data was already out there, just scattered in different places," says CR's Brookman. "It is remarkable, though, that people are taking the effort to collate and host this data for free."

This data dump included 772,904,991 email addresses as well as 21,222,975 unique passwords. About half of those 21 million passwords had not previously been leaked, to Hunt's knowledge. Even though the data has been removed from the internet, it's likely that cybercriminals had access to it before it was deleted.

Hunt stressed that verifying the veracity of the data in any kind breach is "non-trivial." However, he added that his own information was included in the data dump. "My own personal data is in there and it's accurate; right email address and a password I used many years ago."

"it's not easy to know how much of it is new and/or legitimate, but there is definitely personal data in at least some of it," says Robert Richter, program manager for privacy and security testing at Consumer Reports.

How to Keep Your Data Safe

Here are four easy tips to help keep you safe online.

Use an alternate email: Most consumers are bombarded with requests for an email address. Sometimes you can simply refuse. But when you can't, make sure you're using an alternate email, known as a dedicated burner email, for your drugstore coupons and as the login for your favorite fishing forum. Keep a separate email, with a unique password, for your truly important accounts and don't ever give it out casually.

Don't reuse passwords: Hackers depend on the laziness of consumers. Cybercrooks may snag a password from a relatively inconsequential and easy-to-hack site--say a message board. And then hope that you used that same password for your on-line banking. While having a strong password is important, using a unique one is an even stronger defense, according to our experts. Having trouble keeping track of all your passwords? "Use a password manager, or just write them down in a hidden journal," says Brookman.

Freeze your credit: In the wake of breaches of financial data, like the massive one at Equifax, it has become easier to freeze your credit. You can do so for free at the four credit bureaus. That prevents cybercriminals from taking out a loan or opening a credit card in your name. If you need to access your credit, you can temporarily lift the freeze, and re-institute it once you've gotten your loan or new account.

Monitor your accounts: Even after you've taken these sensible precautions, it's important to take a moment to regularly check your important accounts for unusual or fraudulent activity and report any suspicious transactions immediately.

Passing the Password Test

What's your password strategy when it comes to protecting your online accounts? On the "Consumer 101" TV show, a Consumer Reports expert explains what you need to know about password managers.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed. 
More From Consumer Reports