Contact Us

Newsletter Sign-Up

4 min read

Beware the Dark Web: 7 Ways to Avoid Leaked Credentials...

Nov 14, 2019 3:03:21 PM

shutterstock_751115884

My email address was leaked on the dark web. I know, I know. I'm not thrilled about it. See, we run scans looking for leaked credentials on the dark web every day and yesterday, well, my email turned up.

As it turns out, a service (Canva, an online desktop publishing service) I tried out a few months ago was breached. 139 million email addresses and passwords were compromised. Well...shucks.

I'm lucky though. I'd signed into the services via Google. That means my login was attached to an OAuth token and not a password. Canva wasn't able to find any evidence that their OAuth tokens database was compromised and they had been using AES128 encryption. So...good for me, bad for everybody who created a password and didn't create their account through another service.

I hate to say it but showing up on that dark web scan was all but inevitable. Sites and services are breached every day. All things considered, I'm pretty lucky, but I'm not foolish to believe it may not happen again.

Rather than sit in the dark and lament my misfortune I thought it'd be good to share with you, dear readers, how you can avoid a worse fate and stay safe on the Internet.

  1. See if Your Email Has Been Leaked - There are a few ways for you to do this. If you're looking at doing this for your own, personal email account I'd recommend a site like haveibeenpwned.com. You just go on there, type in your email address and it'll show you where your email has been exposed. If you're looking for a professional level scan I'd recommend you sign-up for our FREE dark web scan. That'll show you what emails were compromised, where they were compromised, whether or not the password was compromised along with the email address. Honestly, you never know what you're going to find when you run something like this, it can be an eye-opening experience, to say the least.
  2. Start Changing those Passwords - Yeah, you heard me. Change your password. Why you may ask? Because: 73% of online accounts are protected by duplicate passwords. 47% of people have been using the same password for 5 years or more. Because of things like that, Google estimated in 2017 that hackers steal upwards of 250,000 web logins per week. I don't have an updated statistic but I can only think the number of stolen web logins has increased since then. If you're like most folk, you've probably used the same password multiple times and for years. The longer you use a password and the more instances of use, the more likely it is to be compromised. Most web browsers will show you if you're using the same password for multiple accounts.
  3. Use Complex Passwords - The National Institute of Standards and Technology (NIST) recommends you use a minimum of at least 8 characters (and a maximum of 64). Obviously, we don’t recommend you use all 64 characters (you’ll never remember them), but we do recommend using something above the minimum. 10 or 12 characters should do the trick. Passwords can (and should) include any and all printing characters (ASCII) or Unicode characters so there are plenty of combinations available for you to choose from but that leads us to our next point… 
  4. Use a Password Manager - Each and every password should be unique. That much is true. But if you're anything like me and you're logging into multiple sites and services every day there's no way you're remembering each and every unique password. That's where a Password Manager comes in. If you're not familiar with the concept, it's pretty straight forward: a password manager manages your passwords. A good password manager helps you both generate secure passwords and access them when you need them. It's much easier to remember one unique, strong password that grants you access to your password manager than it is 10, 50 or 100 for each site or service you use. You can even lock most with a Yubi key, allowing for added biometric security. We're personally really big fans of LastPass, which you can find more information about here.
  5. Cut Back on the Site and Services You Use - I got bit because I tried a service out for a publication process, I didn't like it and bounced. I was curious as to what Canva could offer me (someone who already has access to a variety of digital and desktop publishing tools). The luster wore off quickly and my curiosity wasn't worth the headache it ultimately provided me with. If you're anything like me and sometimes try out services without really thinking of the ramifications, you should probably take a minute or two to stop and think about what you're doing before you click submit on that sign-up form.
  6. Use a Burner Email - If you really must have the latest and greatest toy (or software/service) on the market but you're cautious of dolling out valuable PII, create a burner account via a free service like Gmail. Make it specific to the service and don't give out your real name when filling out the profile. Since you're not really volunteering any PII you're probably safe using a burner password as well, something that's easy to remember and you don't care if gets stolen. Just make sure you're not protecting something important with the same one.
  7. Ask for Approval Before Using your Work Email - Yep, I should have done this. Anytime you use a work email address to sign up for a site/service think about who you might be compromising beyond yourself. There's a good chance the email you're using doesn't really belong to you. It belongs to the company you're working for, and as a result, impacts your employer directly if you get hacked or phished because of leaked credentials. If you're looking to try something new ask somebody above you if the service/site is right for your company before you sign up. Like I said above, stop and think before you sign up for something. If it's not going to benefit your employer or improve your workflow don't use your company email address when signing up for it. Also, think before you sign up for a site/service with your company email address that's TOTALLY unrelated or inappropriate to use your work email address for.

Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.

Don't forget to follow us on LinkedIn and Twitter

Carl Keyser

Written by Carl Keyser

Featured