Hacker warning: change your passwords - all of them

(Jennifer Abel @ ConsumerAffairs) Bad news: if you're reading this, there's a very good chance you need to change your password because a 20-something computer hacker in Russia already knows it.

Of course, you've already read countless variations of that story: “Hackers break into database. If your information was on it, you must protect yourself.”

So when you hear about the hack attack du jour, you immediately want to know the specifics: which one of my passwords am I supposed to change this time? Which company or organization got its database hacked? What was the time frame?

And you expect an answer along these lines: “If you made any credit- or debit-card purchases at an XYZ store, or online at XYZstore.com, between January 13 and February 10, your information is at risk.” That also implies a comforting corollary: “If you've never shopped at XYZ, or at least didn't shop there between those two listed dates, you have nothing to worry about.”

Unfortunately, such information is not available for this latest hacking. Even if it were available, it would be too much to summarize here in a single news article, because it's not just one company or website that's been attacked; it's at least 420,000 different websites ranging from obscure little sites to major household-name companies.

Largest known collection

The New York Times reported yesterday that researchers from Hold Security discovered a Russian cyber-criminal gang had “the largest known collection of stolen Internet credentials, including 1.2 billion [unique] user name and password combinations and more than 500 million email addresses …. [and] confidential material gathered from 420,000 websites, including household names, and small Internet sites.”

Hold Security wouldn't release the names of any affected companies or sites, due to non-disclosure agreements and also a desire to avoid identifying companies whose sites remain vulnerable. Therefore, there's no way for ordinary computer-users like you to know which of your passwords were compromised, if any.

Thus far there's no evidence that the Russian hackers have been using stolen passwords to open false credit card accounts or commit other forms of identity theft; the hackers are primarily using this information to send spam to various social media accounts.

Whether you need to change your passwords or not, this latest hacker discovery serves as another reminder of this important online-security rule: don't use the same password across multiple sites.

Last month, for example, the online ticket-seller StubHub had over 1,000 customer accounts hacked into, yet the hackers never actually managed to breach the StubHub database.

Instead, they hacked into various other databases, or even installed malware on individual computers, in order to steal people's passwords from one account – email, online banking, social media sites, even small online discussion forums – and then test those stolen passwords to see if they'd work in customers' other accounts. And in the case of over 1,000 StubHub customers, it did.

Still: a thousand customers of a ticket-resale site is extremely small potatoes compared to 1.2 billion people. Consider: it's estimated that, as of 2014, there are 2.9 billion Internet users on the entire planet Earth. And of those 2.9 billion Earthling web-surfers, over 40% have their passwords in the hands of a small Russian hacker-ring.