Over 1 billion accounts compromised – is yours safe?

Posted on

This week we’re looking at passwords after a recent report showed security expert Troy Hunt’s “Have I Been Pwned” database has taken in a staggering 2 billion unique email addresses and 1.3 billion unique passwords.

These have been collected through data dumps and stolen via infostealer malware and credential-stuffing lists.

Even if an email or password compromised is years old, it still poses a danger. Cybercriminals continually test these credentials against current systems using automated “credential stuffing” attacks. If you reuse passwords, you could be an easy target.

You can read Hunt’s blog post about it here >

How to check your exposure

Log on to Have I Been Pwned (HIBP): and check both your corporate and personal emails here. If they’re in the list, you should reset passwords immediately.

Best practices for password security for your business

🔐 Enforce strong, unique passwords – ensure staff are using strong, randomly generated passwords. A password manager is ideal for generating and storing these securely.

🛠️ Use a trusted password manager – we recommend using reliable password manager options (e.g., Dashlane, Bitwarden, 1Password) to generate, store, and autofill complex passwords. Also, make sure the auto-update functionality is on to patch vulnerabilities promptly.

✍️ Avoid reused passwords – even slightly-modified reused passwords are vulnerable to credential stuffing. Everyone should use unique passwords for each account.

📧 Implement email aliases for accounts – these are alternative addresses linked to your main email account. They let you create different “front-end” addresses that all deliver messages to the same inbox without setting up separate accounts (e.g., jane+service@company.com instead of jane@company.com) to reduce credential exposure from large dumps. Aliases make it easier to identify where breaches occurred and to disable access quickly.

🔒 Harden your defences against Infostealer malware – only install software from reputable sources and avoid cracked or pirated tools. Also ensure you update antivirus and enable real-time protection. It is also worth researching browser extensions before you install them — look at reviews, developer reputation, and media coverage.

🔄 Enable multi‑factor authentication (MFA) – ensure MFA is required on all sensitive or privileged accounts (email, admin consoles, VPNs). Using apps or hardware tokens for MFA rather than SMS codes is more secure.

🧾 Regular monitoring and audits – encourage staff to carry out monthly or quarterly audits using HIBP, Pwned Passwords, and dark‑web scan tools.

🔁 Promote a Culture of Security – educate users about phishing, suspicious downloads, and social engineering.

 

In conclusion

By taking these proactive measures, you can significantly reduce the risk posed by large-scale credential leaks and modern cyberthreats.

 

Taking these steps now can help prevent costly breaches later.

Need help implementing these measures?

Talk to us

Posted in News