There’s a new Forbes article floating around about the trove of 183 million credentials that were recently leaked to Have I Been Pwned. The articles makes a big deal about the fact that there were “Gmail passwords confirmed” in the leak. Let’s break down why it’s a bad article and what you should have been told instead.
The article makes a big deal of the fact that “Gmail passwords” were included in the leak without saying a single word about the fact that your Gmail password is also your Google password. Google Photos, Google Docs, Google Drive, any site you’ve used “log in with Google” on… all these are compromised if your “Gmail password” is. It’s kind of laughable that this article goes to some effort to fearmonger about compromised “Gmail passwords” when the problem it’s trying to scare people about is actually worse than it says it is.
While the article understates the damage from the leak in that way, it overstates it in another. This article, and others that have reported about this leak, fails to provide the important context that if you practice decent device hygiene and your devices have not been compromised by infostealers, then none of your account passwords are in this leak. Furthermore, because we all have many accounts and infostealers vacuum up credentials from all of them, my guess is that you would have to divide that number by at least 3 or 4 to arrive at a reasonable estimate of the number of impacted people, which is far more relevant than the number of impacted accounts. Given that there are billions of people in the world who log into websites, and we’re talking maybe 20 million people affected by this leak, it’s actually pretty unlikely that you are.
Once the article is finished both understanding and overstating the problem it’s reporting on, it gets around to telling you what it thinks you should do about it, and it gets that wrong too.
- When discussing how your password manager can help protect you against compromised passwords, it focuses entirely on the Chrome password manager; there isn’t a single word about how other password managers offer similar features and protections. Maybe the author should have done some real research and reporting here rather than just paraphrasing the press release Google sent him.
- It focuses on people enabling 2-step verification on their Google accounts—again, just quoting from Google—rather than making it clear that they should be using strong two-factor authentication or passkeys for all of their accounts, wherever it is offered.
- It makes a brief nod to the fact that you should not be reusing passwords on multiple websites without making explicit that the best way to do that is to use a password manager, which everyone should be doing; “if you are a user of the Chrome password manager” is not the same as “you should be using a password manager!”
- It doesn’t say a single word about the fact that if your data is in this leak, then one of your devices was compromised, and you need to clean your devices and practice better device security practices in the future. Yes, how to do all this is beyond the scope of an article like this, but the article should at least mention it and linked to some outside sources for more information.
- While it does hint (under the misleading heading “What We Know About The 183 Million Passwords Data Leak”) that everyone should register with Have I Been Pwned to get notified automatically about breaches or leaks that impact them (well, aside from the ones HIBP is legally prohibited from warning you about), it is far less explicit about this than it should be.
Here’s the TLDR
- This isn’t just a Gmail problem.
- Register at Have I Been Pwned if you haven’t already.
- Practice good device security hygiene. Most importantly:
- keep your OS and apps up-to-date;
- keep your device security software enabled (macOS, Windows, iOS, and Android all have it built in; you probably don’t need to pay for a third-party antivirus tool);
- keep the malware protections in your web browser enabled; and
- if you keep important data locally on your device, back it up following the 3-2-1 rule.
- Change your passwords for any of the sites HIBP says have been compromised, if you haven’t already. While you’re doing that, enable strong 2FA (not email or SMS) or set up a passkey.
- Use strong 2FA or passkeys everywhere else.
- Use a password manager for all of your passwords, and use long, random, unique passwords generated by the password manager.
- Don’t invite hackers onto your device by falling for tech-support or ClickFix scams or enabling browser notifications from shady websites.
*sigh* OK, that last point isn’t as obvious as the previous ones. I can’t with a straight face explain them in a section entitled “Here’s the TLDR”, so I suppose this article needs to be a bit longer…
What are tech-support scams and how to avoid them
If anyone you don’t know tells you they’re helping you fix a problem with your computer and they need you to give them remote access or run some commands they send you, they are almost certainly scammers and you absolutely should not do what they’re asking.
If you suddenly see a pop-up on your computer telling you it’s compromised or broken and giving you a phone number you should call or website you should visit for help getting it fixed, this is almost certainly a scam and you should ignore it. If they’ve managed to make the message fill up the whole screen and you can’t figure out how to get rid of it, then this is even more true. The more flashier and loud the warning is, the more likely it is that it’s a scam.
Do not ask the bad guys how to make the message go away. They will manipulate you into compromising your computer. Ask someone you know in person for help. If you don’t have anyone to ask, call Geek Squad and ask them to come out and help you and show you how to get rid of the messages yourself next time. Believe me, paying Geek Squad a couple hundred dollars is preferable to giving hackers the run of your computer.
Also don’t fall for it if someone calls you randomly on the phone and tells you they’re from “tech support” or Microsoft or Apple or Google or whatever and they’ve detected a problem with your computer and they’re calling you to help you fix it. No one calling you on the phone to tell you they’ve detected a problem with your computer is legitimate.
What are ClickFix scams and how to avoid them
If a message pops up on your computer saying you need to copy and paste a command into a command prompt, the Windows run prompt (Command-R), your browser’s developer console, etc. to fix something, or to get through an “are you human?” check, it is a scam and you shouldn’t do it. The website you’re visiting is compromised, and the people who compromised the website are now trying to compromise your device as well.
These attacks often show you an innocent-looking command they’re telling you to copy and paste and say “Click here to copy this command,” but in fact when you “click here” it copies a malicious command that’s different from what they showed you. If you find that a bit difficult to grasp, think about the fact that this link doesn’t point to a website called “this link”.
Stop enabling crappy browser browser push notifications, just stop
There are a lot of shady websites out there trying to trick you into visiting them instead of the legitimate website you actually intended to visit. And for many of these shady websites, the very first thing they will do when you visit their homepage is pop up a message asking you to let them send you notifications. The pop-up often doesn’t even use the word “notifications”, it uses exciting, useful-sounding language, e.g., “Click here to to keep getting important news updates!”
If you’re the kind of person who tends to end up on these shady websites and say yes when asked to allow notifications, then you probably already know it, because you’re probably already getting notifications from them constantly.
Stop letting them do that to you.
These constant notifications are literally unhealthy, but aside from that, they’re also a security risk, because they are often used as a vector for tech-support and ClickFix scams.
You don’t need the notifications. You don’t need the constant dopamine hits. They are not healthy or safe.
Every browser is a little different, but you can search for, e.g., “Edge disable push notifications” or “Chrome disable push notifications” to find out how to turn off these notifications for the browser you use.
If you are absolutely certain there is a completely legitimate website you want to allow push notifications from, you can enable notifications manually for that specific website. This is usually accomplished by clicking a button or something to the left of the website URL at the top of the browser window to view and update the browser settings for this particular website.
