I’m starting a collection

I've seen you say a few times that it's a good idea to have a password manager; could you explain why? I always feel like I'm missing something when it's mentioned because it's phrased as if there's an obvious danger that password managers protect you from, but I'm honestly not sure how they help keep passwords secure.

The obvious danger is human nature. Humans are bad at creating passwords; your passwords are almost certainly easy to guess, repeated across different accounts, or both, because that is just how the vast VAST majority of people create passwords, because humans are bad at creating passwords. Everybody knows "the rules" for creating passwords (don't use the same password on multiple websites, don't include personal details in your passwords, don't use very common words or letter or number sequences in your passwords, don't tell other people your password) and people break all of those rules anyway.

A standalone (not in-browser like firefox or chrome password manager, though those are better than nothing) password manager stores your passwords, generates complex passwords for you, and can also be used for things like storing notes on passwords (like "did I put my MFA on my email or my cellphone or an app for this password?" or "here are the made-up answers to the security questions I used for this website because I definitely didn't use real answers or answers I'd used on previous websites" or "these are the bills associated with this credit card").

With the way the current security landscape works, there are two things that are extremely important when you are creating a password:

Uniqueness

Complexity

The overwhelmingly prevalent way that people get "hacked" these days is through credential stuffing.

Let's say that your private data was revealed in the Experian breach a decade ago. It revealed your name, email address, and phone number. Now let's also say that your private data was revealed in one of the many breaches from social media sites; that one revealed your name, email address, phone number, password, and security questions.

If someone wants to try to gain access to one of your accounts - let's say your bank account - if they have your name and phone number (usually extremely easy to find online), they can cross-reference that information with data that has been revealed in previous breaches - now they've got your name and your email address (which you probably used to sign up for your online banking and have ABSOLUTELY used as your login for accounts all over the place) and at least one password that you've used somewhere.

But the thing is, they don't have one password. They have every password associated with that email address that has ever been revealed in a breach. If you go to the site haveibeenpwned.com you can enter your email and see how many times your email address has appeared in a breach. You can compare that with the number of passwords that were revealed in those breaches and you can ask yourself "what did those passwords have in common?"

Because I can tell you, my Tumblr password from 2013, my Kickstarter password from 2014, and my Disqus password from 2017 (all revealed in various breaches) probably had a lot in common.

So, now the hacker has: your name, your email (which is probably your username), and various passwords they can try to use to log in. Did you use the same password for Facebook and Twitter eight years ago? Did you use parts of that password for creating your bank password? If you heard that twitter passwords were exposed in a breach you probably changed that password, but did you change the bank password that you built on the same structure? Probably not.

So what people will do is gather up all of this information and guess. They'll try your 2017 Disqus password to see if it will get access to your bank account. They'll try your 2020 Gravatar password. They'll try your 2024 Internet Archive Password.

And the reason they do this is because it works.

And the reason that it works is because we are all fucking garbage at remembering unique, complex passwords so instead of creating actually unique, complex passwords most people pick one memorable word or phrase, one memorable number, one unusual character, and *MAYBE* one feature of the site they're creating the login for and they use that template forever (1988Tumblrmacabre!, 1988Facebookmacabre!, 1988Ticketmastermacabre!) OR they create one password that they think is complex enough and use it across multiple sites with minor tweaks ($n0h0mi$hRu13z, sn0h0mishRul13z!, $n0h0mi$hWA) as needed for the sites' password requirements.

So most of what password managers do that is a drastic security improvement over people creating and memorizing passwords is that they create passwords that are functionally impossible to guess and functionally impossible to memorize. The problem with memorizing passwords (which is what you're doing if you're creating a bunch of passwords that you type in all the time) is that you can't actually remember all that many passwords so you'll repeat those passwords. The problem with creating passwords on your own is that passwords that humans create are pretty guessable. Even if you're doing a passphrase that's a long string of words you're probably working with common words ("correct horse battery staple" as opposed to "truculent zygote onomatopoeia frangible") and your password is more guessable than you'd really want it to be. Password managers don't do that, they generate gibberish.

Perhaps you are that rare person who gets out a set of dice and a notepad and rolls up every character for your password and memorizes it and never repeats, and if that's you, you could still benefit from a password manager because a password manager makes it easier to change that unique complex password when it is inevitably revealed in a breach.

So, okay, let's check in with where we're at:

Password managers mean that you don't have to memorize your password, which means that you don't need a password that is easy to memorize, which means that they can create passwords that are extremely complex and are therefore very difficult to guess. This protects you from crackers who will try to brute force your password.

Password managers mean that you don't have to remember extremely complex passwords for every account, which means that you are less likely to repeat your password in whole or in part across multiple accounts. This protects you from credential stuffers, who will try to use your password from one account that was revealed in a breach to open other accounts that were not.

Because password managers can generate and store complex passwords essentially instantly, you can replace passwords nearly effortlessly when there is a breach (no need to 'come up with' a new password, no issues with learning or memorizing it).

There are, however, advantages beyond that.

One major, MAJOR advantage of a properly-used standalone password manager is that it makes you safer from various kinds of phishing attempts and link hijacking. When you are setting up a password in your password manager (PWM from here on), you should be on the website that you want to log in to. The PWM will give you the option to save the domain that you're logging in to. That means the PWM will remember the correct URL for your Tumblr login so when you go to the tumblr login screen in the future, it will offer to fill those fields. What it will NOT do is offer to fill those fields if someone sends you an email that spoofs tumblr support and wants you to log in at "tumblr.co" or "tumblr-support.com." Knowing this, and knowing that you should be putting your credentials in through the PWM fill option rather than copy/paste, is a GREAT way to protect against phishing that is often overlooked and definitely under-discussed.

Another advantage is that a standalone PWM will let you store secure notes with your passwords so that you can do things like keep track of recovery codes for the website, or generate gibberish answers to security questions. Security questions and answers are often revealed in breaches, can't be reset by the user as easily as a password, are repeated across websites MUCH more than passwords, and can be used to take over an account and reset the password. You shouldn't be giving real security answers, or even fake-but-repeated security answers; you should treat each of those like a password that needs to be complex and unique, which means that they need to be stored someplace (like a password manager).

I also personally use my password manager to store my car insurance information, my driver's license info, and payment details for easy entry, making it convenient for a lot of thing beyond password storage. (Bitwarden. My password manager is bitwarden. I recommend Bitwarden. go to ms-demeanor.com and search "bitwarden" to learn more.)

As to how they keep your passwords safe, aside from ensuring that you don't enter your credentials into a skimming site, a good password manager is well encrypted. Your password safe should be functionally impossible to crack and what people tend to not realize is that a proper password manager (like bitwarden) doesn't keep all your passwords in one encrypted safe, each one of your passwords is in its own encrypted safe. If someone hacks Bitwarden it's not like using a huge amount of effort breaking into a bank vault and finding a big pile of money, it's like using a huge amount of effort breaking into a bank vault and finding a big pile of bank vaults. Each password within your vault requires decryption that is functionally impossible to crack (at least with a good password manager, like bitwarden, the password manager I recommend and think that people should use).

Additionally, just as, like, a side note: password managers never accidentally leave caps lock on or forget which characters are capital or lower case and don't require the use of two hands and focused attention on the keyboard. You're never going to mistype your password if the password manager is filling it, and you would not believe the number of people we support at work who require password resets because they are typing their password wrong and don't realize it.

TL;DR:

Password managers make better passwords than you can and they make it possible to instantly create, store, and enter complex passwords, which prevents password cracking and makes people less likely to reuse passwords. They are heavily encrypted and should be functionally impossible to access, and each individual password within the manager should also be encrypted if you use a good password manager. Password managers also prevent people from entering their credentials on scam sites by only filling on matched domains. Standalone password managers (not browser password managers) also allow users to create and store unique security questions and account details to prevent bad actors from gaining access with stolen security answers. The password manager I recommend is Bitwarden.

If people used password managers to create, store, and use unique and complex passwords, and if they did regular backups of their system I think that probably about half of the InfoSec field would be out of a job.

Please use a password manager!

Modern headcannons for the sawyers, if they had internet lol

TW: mentions of war, mentions of dead animals, Lots of sweet sweet cringe mentions of sexuality

Modern headcanons:

Bubba:

He watches those sensory videos of people cutting up bits of soap, along with makeup tutorials, religiously. It makes him really happy.

Definitely has scented candles and fairy lights everywhere.

His pet chicken has her own instagram account, and he treats her like a queen. She’s managed to become somewhat of an e-celebrity.

He’s probably able to talk to a degree, write and use sign-language, having gone to some sort of school, since education for those with learning difficulties has progressed a lot since the 1970s.

A brony, but fortunately of the wholesome variety that just unironically likes a television show about cute talking animals.

Overall, he doesn’t use the internet nearly as much as his chronically online older brothers, and probably shares a computer with Drayton.

Nubbins

Is a furry. There is nothing anyone can do about it, and although Drayton regularly tells him he’s a degenerate, he refers to his hands as paws. He has an extremely mangy fur suit that he made himself, out of real animal pelts, and looks like some sort of rabid dog type thing, although it's virtually unidentifiable.

Made a YouTube tutorial on how to collect the best roadkill, and promptly got roasted for it online. However, he literally doesn’t care, and just giggles whenever anyone sends him a strongly worded email.

He has been the subject of about 5 Kiwi farms threads, and has somehow managed to become a full fledged lolcow. Again, he doesn’t give a damn and is just living his best life. He’s the definition of “cringe but free.”

Definitely posts his photography on deviant art, complete with out of pocket titles like “Headcheese” and “dead skunk :D.”

For some reason he knows all of the brain rot slang there is to know, and uses it in everyday conversation, much to everybody’s chagrin. Also ends text messages with “Rawr XD.”

Robert/ Chop Top

Total emo, complete with a bizarre haircut and neon green highlights. Of course, this is just a wig; he was injured in Afghanistan, and got his head plate when he got almost blown up by a landmine. Owns a lot of kandi bracelets.

He lurks on 4Chan, and seriously believes he’s well on his way to finding Bigfoot, and pigeons are malicious government spy drones with poisonous droppings. Also occasionally trolls random people.

Instead of loving In-A-Gadda-Da-Vida, he listens to Nyan Cat on repeat.

Unfortunately, he’s also a weeb. May or may not own a body pillow, but hides it well whenever Drayton’s around. He owns at least one katana and sometimes just sits in his room making anime sounds and waving it around.

He doesn’t have a Discord kitten, he is a Discord kitten. He’s shameless, and will sell pictures of any part of his body for a few dollars. Bro is broke.

Has watched literally every shock video he can get his grubby hands on. Lemon party, Goatse, blue waffle (by the way, don’t look these up, you might need eye bleach) he’s here for it. Cackles like a maniac whilst watching, too.

Most of his search history consists of the aforementioned shock videos, “how to talk to females IRL” and “feet pics pretty.”

Drayton

“What is a mee-mee?”

Starts random beefs with other chilli competition contestants on Facebook. These get really heated, to the point of death threats.

Has been hacked about a dozen times, because his password is always “password.” He thinks this is really clever. Sometimes his brothers go onto his account post cursed stock images and ruin his credibility.

Has like 50 tabs open on his search engine at any one time. His computer is permanently on the brink of death, but stubbornly hangs on.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

A Mysterious Hacking Group Is Revealed to Work for the Spanish Government

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

Signal Introduces New Feature to Block Screenshots by Microsoft Recall

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

US Indicts Russian National Over Qakbot Malware

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

Internet users advised to change passwords after 16bn logins exposed

Hacked credentials could give cybercriminals access to Facebook, Meta and Google accounts among others

Internet users have been told to change their passwords and upgrade their digital security after researchers claimed to have revealed the scale of sensitive information – 16bn login records – potentially available to cybercriminals.

Researchers at Cybernews, an online tech publication, said they had found 30 datasets stuffed with credentials harvested from malicious software known as “infostealers” and leaks.

The researchers said the datasets were exposed “only briefly” but amounted to 16bn login records, with an unspecified number of overlapping records – meaning it is difficult to say definitively how many accounts or people have been exposed.

Cybernews said the credentials could open access to services including Facebook, Apple and Google – although there had been no “centralised data breach” at those companies.

Bob Diachenko, the Ukrainian cybersecurity specialist behind the research, said the datasets had become temporarily available after being poorly stored on remote servers – before being removed again. Diachenko said he was able to download the files and would aim to contact individuals and companies that had been exposed.

“It will take some time of course because it is an enormous amount of data,” he said.

Diachenko said the information he had seen in infostealer logs included login URLs to Apple, Facebook and Google login pages. Apple and Facebook’s parent, Meta, have been contacted for comment.

A Google spokesperson said the data reported by Cybernews did not stem from a Google data breach – and recommended people use tools like Google’s password manager to protect their accounts.

Internet users are also able to check if their email has been compromised in a data breach by using the website haveibeenpwned.com. Cybernews said the information seen in the datasets followed a “clear structure: URL, followed by login details and a password”.

Diachenko said the data appeared to be “85% infostealers” and about 15% from historical data breaches such as a leak suffered by LinkedIn.

Experts said the research underlined the need to update passwords regularly and adopt tough security measures such as multifactor authentication – or combining a password with another form of verification such as a code texted from a phone. Other recommended measures include passkeys, a password-free method championed by Google and Facebook’s owner, Meta.

“While you’d be right to be startled at the huge volume of data exposed in this leak it’s important to note that there is no new threat here: this data will have already likely have been in circulation,” said Peter Mackenzie, the director of incident response and readiness at the cybersecurity firm Sophos.

Mackenzie said the research underlined the scale of data that can be accessed by online criminals.

“What we are understanding is the depth of information available to cybercriminals.” He added: “It is an important reminder to everyone to take proactive steps to update passwords, use a password manager and employ multifactor authentication to avoid credential issues in the future.”

Toby Lewis, the global head of threat analysis at the cybersecurity firm Darktrace, said the data flagged in the research is hard to verify but infostealers – the malware reportedly behind the data theft – are “very much real and in use by bad actors”.

He said: “They don’t access a user’s account but instead scrape information from their browser cookies and metadata. If you’re following good practice of using password managers, turning on two-factor authentication and checking suspicious logins, this isn’t something you should be greatly worried about.”

Cybernews said none of the datasets have been reported previously barring one revealed in May with 184m records. It described the datasets as a “blueprint for mass exploitation” including “account takeover, identity theft, and highly targeted phishing”.

The researchers added: “The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data.”

Alan Woodward, a professor of cybersecurity at Surrey University, said the news was a reminder to carry out “password spring cleaning”. He added: “The fact that everything seems to be breached eventually is why there is such a big push for zero trust security measures.”

Daily inspiration. Discover more photos at Just for Books…?

Hi. If you don't mind me asking, how exactly did you get hacked? And how did you realize it happened? It's just that it's something of an anxiety of mine, and I feel that by learning from other people it happened to, I can learn to avoid it. No worries if you don't feel like talking about it, though.

I don't honestly know for sure, but I THINK it was because my desktop computer is pretty old and has been running on a very outdated version of Windows for quite a while now. I don't normally do things like click on suspicious links or answer suspicious emails or calls or messages from bots, but I'm quite lazy about things like updating my hardware and software when the older stuff is still working fine for me. Unfortunately this eventually makes you more vulnerable to being hacked remotely, because you can't get stuff like the current security updates and support on your computer's programs and all after a bit. Over the past couple of weeks I've had someone using my Facebook account to post fake ads for cars and motorcycles on Marketplace, someone using my Steam account to list all my trading cards for sale, somebody flooding my email address to receive literally hundreds of spam emails (like signing me up for random newsletters and junk mail and so on), and somebody using my credit card to attempt to buy a big purchase for themselves on Amazon. Basically since I don't know exactly how it started and the fact that it seems to be happening on multiple of my accounts I just had to go cancel my credit card and report the fraud to my bank, change every password on every personal account I could think of and add more 2 factor authentication steps to everything, and then wipe my computer of as much personal info as possible and lock it up a bit better too. I undid all the settings like the automatically saved passwords on my browser, and I'm not leaving it connected to the internet or leaving any of my personal accounts logged in when I'm not using them anymore. The security breaches seem to have stopped with me changing these passwords and everything else, but it's definitely a very violating and annoying experience to say the least. I should probably be more freaked out about it than I actually am, which is kinda just feeling a bit like the exasperated Ben Affleck smoking meme instead hahaha

Social Media and Privacy Concerns!!! What You Need to Know???

In a world that is becoming more digital by the day, social media has also become part of our day-to-day lives. From the beginning of sharing personal updates to networking with professionals, social media sites like Facebook, Instagram, and Twitter have changed the way we communicate. However, concerns over privacy have also grown, where users are wondering what happens to their personal information. If you use social media often, it is important to be aware of these privacy risks. In this article, we will outline the main issues and the steps you need to take to protect your online data privacy. (Related: Top 10 Pros and Cons of Social media)

1. How Social Media Platforms Scrape Your Data The majority of social media platforms scrape plenty of user information, including your: ✅ Name, email address, and phone number ✅ Location and web browsing history ✅ Likes, comments, and search history-derived interests. Although this enhances the user experience as well as advertising, it has serious privacy issues. (Read more about social media pros and cons here) 2. Risks of Excessive Sharing Personal Information Many users unknowingly expose themselves to security risks through excessive sharing of personal information. Posting details of your daily routine, location, or personal life can lead to: ⚠️ Identity theft ⚠️Stalking and harassment ⚠️ Cyber fraud

This is why you need to alter your privacy settings and be careful about what you post on the internet. (Read this article to understand how social media affects users.) 3. The Role of Third-Party Apps in Data Breaches Did you register for a site with Google or Facebook? Handy, maybe, but in doing so, you're granting apps access to look at your data, normally more than is necessary. Some high profile privacy scandals, the Cambridge Analytica one being an example, have shown how social media information can be leveraged for in politics and advertising. To minimize danger: 👍Regularly check app permissions 👍Don't sign up multiple accounts where you don't need to 👍Strong passwords and two-factor authentication To get an in-depth overview of social media's impact on security, read this detailed guide. 4. How Social Media Algorithms Follow You You may not realize this, but social media algorithms are tracking you everywhere. From the likes you share to the amount of time you watch a video, sites monitor it all through AI-driven algorithms that learn from behavior and build personalized feeds. Though it can drive user engagement, it also: ⚠️ Forms filter bubbles that limit different perspectives ⚠️ Increases data exposure in case of hacks ⚠️ Increases ethical concerns around online surveillance Understanding the advantages and disadvantages of social media will help you make an informed decision. (Find out more about it here) 5. Maintaining Your Privacy: Real-Life Tips

To protect your personal data on social media: ✅ Update privacy settings to limit sharing of data ✅ Be cautious when accepting friend requests from unknown people ✅ Think before you post—consider anything shared online can be seen by others ✅ Use encrypted messaging apps for sensitive conversations These small habits can take you a long way in protecting your online existence. (For more detailed information, read this article) Final Thoughts Social media is a powerful tool that connects people, companies, and communities. There are privacy concerns, though, and you need to be clever about how your data is being utilized. Being careful about what you share, adjusting privacy settings, and using security best practices can enable you to enjoy the benefits of social media while being safe online. Interested in learning more about how social media influences us? Check out our detailed article on the advantages and disadvantages of social media and the measures to be taken to stay safe on social media.

How to Hire a Social Media Hacker Safely: A Complete Guide

In today’s tech-driven world, social media accounts are more than just a place for socializing—they are gateways to personal and business data. Whether you're locked out of your account, worried about digital privacy, or need to strengthen your security, hiring a hacker might seem like a quick fix. However, it's important to approach this cautiously. In this guide, we'll explain how to safely and legally hire a social media hacker, what to look for, and the risks involved.

1. Why Hire a Social Media Hacker?

There are a variety of reasons why you might consider hiring a hacker for your social media needs. Some of the most common include:

Account Recovery: Losing access to a social media account due to hacking or forgotten passwords can be frustrating. A professional hacker can bypass recovery protocols and get you back in.

Security Audits: Ethical hackers can identify weaknesses in your social media security, helping you prevent future cyber-attacks.

Data Retrieval: For business purposes, some companies hire hackers to retrieve important information or gain insights into competitors.

While the idea of hiring a hacker might seem risky, when done ethically and legally, it can be a helpful resource in regaining control over your online assets.

2. What is a Professional Social Media Hacker?

A professional social media hacker is an expert skilled in identifying and exploiting weaknesses in social media platforms to recover accounts, enhance security, or gather data. These hackers fall into two categories:

White-Hat Hackers: Ethical hackers who work within legal boundaries. They are typically hired for account recovery, security testing, and digital protection services.

Black-Hat Hackers: Individuals who use their skills for malicious purposes, such as unauthorized access or data theft.

It's essential to make sure you're hiring a white-hat hacker to ensure the legality of their actions. White-hat hackers use legitimate methods to help you regain access or fortify your account.

3. How to Hire a Social Media Hacker

Finding a reliable social media hacker takes more than just a quick Google search. Here’s how you can find a legitimate hacker without falling for scams:

Freelance Platforms: Websites like Upwork, Freelancer, and Fiverr host professionals offering hacking and cybersecurity services. Be sure to check reviews and ask for verifiable past work.

Cybersecurity Firms: Many reputable companies specialize in ethical hacking services. Hiring through these firms ensures that you’re working with professionals who will operate within legal boundaries.

Hacker Forums: There are many online forums where ethical hackers offer their services. However, proceed with caution, as these forums can also be a breeding ground for scams.

Once you find a hacker, ask for credentials or proof of their experience with the platform you need help with, such as Facebook, Instagram, or Twitter.

4. The Benefits of Hiring a Professional Social Media Hacker

When you hire a social media hacker, you're not just gaining access to your account; you're investing in your online security and peace of mind. Here are the key benefits:

Quick Account Recovery: Forget the long, frustrating customer support routes. A professional hacker can help you regain access faster.

Improved Security: By running security checks and vulnerability assessments, hackers can help you secure your social media accounts and prevent future breaches.

Competitive Advantage: In business, accessing legally obtained data from competitors can help improve your strategies.

Hiring a hacker can be a valuable tool for both personal and professional needs, but only when done ethically.

5. Legal Risks of Hiring a Social Media Hacker

While hiring a hacker can solve a number of problems, it’s essential to understand the risks involved:

Illegal Hacking: Hacking someone else's social media account without permission is illegal and can result in serious legal consequences. Always make sure that your actions, and the actions of the hacker you hire, are within the legal framework.

Scammers: Unfortunately, there are many untrustworthy individuals who claim to be hackers but are really out to scam people. Be careful when sharing personal information, and only work with vetted professionals.

Ethical Concerns: Even if a hacker offers to retrieve information from someone else’s account, remember that doing so without consent is unethical and illegal.

Before you hire, ensure that the hacker’s actions will be lawful and ethical to avoid any legal trouble.

6. How to Protect Yourself When Hiring a Hacker

To safely hire a social media hacker, here are some best practices to follow:

Do Your Research: Take the time to verify the hacker’s credentials. Look at their previous work, ask for references, and check for any feedback from past clients.

Use Secure Communication: Always communicate securely with the hacker to protect your personal information. Avoid sharing sensitive data over unencrypted platforms.

Create a Clear Agreement: Before any work begins, have a formal contract that outlines the services to be performed and the legal limitations. This protects both parties and ensures that the work stays within ethical boundaries.

7. Hiring a Social Media Hacker: What to Expect

When working with a professional hacker, clear communication and expectations are essential. Here’s what to expect:

Transparent Pricing: The cost of hiring a hacker can vary depending on the complexity of the task. Be wary of hackers who offer extremely low rates, as they might not be legitimate.

Clear Communication: A professional hacker should explain the process clearly and answer any questions you have along the way.

Results: Whether you’re looking for account recovery or a security audit, a professional hacker should deliver results within the agreed-upon timeframe.

Conclusion: The Right Way to Hire a Social Media Hacker

Hiring a social media hacker can be an effective way to recover lost accounts, strengthen security, or gain strategic insights. However, it’s essential to hire a reputable, ethical hacker who operates within legal boundaries. By following the steps outlined in this guide, you can safely and legally hire a professional social media hacker to help with your digital needs.

For more information:

Hire a Hacker

Hire a Social Media Hacker

Professional Social Media Hacker

This article integrates the keywords "hire a hacker," "hire a social media hacker," and "professional social media hacker" naturally throughout the content, while keeping the information helpful and engaging for readers. It also includes hyperlinks to the desired website for further exploration, ensuring SEO indexability.

Online Privacy and Security Tips

I am a firm believer that people should be able to be anonymous and secure online. Over a lifetime of trial and error, I've slowly learned the best ways to protect myself, and I'd like to pass on that knowledge to anyone who wants to hear it.

Last updated May 2024 (added links to news articles about PimEyes being used to identify someone in real life)

Switch to Firefox for your main browser on Windows and Android

Avoid any browser based on the Chromium project (like Microsoft Edge or Google Chrome), as Google has a major conflict of interest that prevents it from truly having users' privacy interests at heart. It makes ~70-80% of its revenue from its highly targeted advertising business, for which it must collect as much information about you as possible. That means that no matter how badly certain parts of Google want to build privacy into the browser, business interests and pressure will always supersede them, or at least force a compromise that still enables some tracking. Firefox is owned and maintained by a non-profit, so it does not have that same conflict, and it shows in the features it builds (and does not build) and the way it treats its users.

I made a list of my favorite Firefox extensions if you want to make your internet experience more pleasant and/or more secure!

Note: on iOS (i.e. iPhones), Firefox' functionality is limited by Apple restrictions and I do not recommend it - using Safari with Extensions like Adguard or 1Blocker is more secure and will give you a better experience. I made a list of my favorite iOS Safari extensions too!

Use a reputable password manager

I suggest 1Password (avoid LastPass and all of the password managers built into browsers, they're not safe). A good password manager increases your online safety by:

Helping you avoid password reuse (a common cause of account hacking)

Generating complex passwords that are difficult to guess or brute-force, and

Allowing you to keep records of all the different sites you have accounts on (so you can quickly change passwords in the event of a breach or delete your accounts on them when they outlive their usefulness)

Delete old accounts you no longer need

If your data has been deleted, no one can steal and leak it if they manage to hack the company.

Sign up for alerts from HaveIBeenPwned (HIBP) to be notified when your data is leaked in a site hacking.

This allows you to quickly change your password, hopefully before anyone is able to decrypt it (if it wasn't stored properly) or use it (if it was easy to guess). If you have reused that password on other sites, be sure to change your password on those sites either.

Note that some leaks don’t actually have any info about what website they were stolen from; if criminals just dump a huge text file onto a hacking forum that has your username and an accompanying password in it, HIBP doesn’t necessarily know what site they hacked to get that info. This is where a password manager like 1Password will come in handy, because 1P can actually use HIBP’s API to check each of your passwords and see if any of them have been leaked before. It will alert you if you need to change a specific password, even if you weren’t aware that site had been hacked.

Note: 1P only sends the first 5 characters of the password hashes to HIBP, not the passwords themselves. You can read more about the feature and how it preserves your privacy here.

Assume all profile pictures on any site are public, and avoid using your face for them if possible

New AI-powered sites like PimEyes can take an image of you, identify your face, and search for it in other, unrelated images around the internet. I searched for myself using a recent image that had never been posted to the internet before, and it immediately identified me in completely separate images I was using as my profile pictures on Facebook and LinkedIn and provided links to my accounts there. In this new AI era, assume anyone who snaps a picture of you can link you to your identity on any website where you have publicly posted your face before. This is not hyperbole; fans used PimEyes to identify a cameraman at a Taylor Swift concert using nothing more than a screenshot of a video taken of him by a concertgoer. Note: for what it's worth, you can submit an opt-out request to PimEyes if you are worried about someone using it to find your accounts online, but it requires you to submit images of your face and your government ID to the company...

Never post the same (original) image on two accounts that you do want to keep separate

Even a simple reverse image search can allow someone to link your different sites together (i.e. don't post the same vacation sunset photo on both Facebook and Tumblr because anyone can use that to link those sites together. Even if your Facebook or Instagram images are private, a follower of yours on one of those sites could still find the Tumblr you are not comfortable sharing with anyone. Marking your Tumblr as hidden only discourages search engines from indexing it; shady companies can and will ignore that and index it anyway.

Ao3 DDoS attack- an explanation

For anyone missing their fanfics (like me), this article gives an general outline what going's on with Ao3.

For anyone hoping that they might be able to get to their fanfics soon, I suggest not getting your hopes up. Ao3 may be up in a couple hours (hopefully) , but there's a possibility that could last for several days depending on how how severe the attack is and how many resources the attackers have, Ao3 is handling this attack, and what response plans they have in place.

Some things to know if you're not familiar with DDoS attacks... it's time to use my education.

Disclaimer: I'm not affiliated with Ao3 other than being a user. I don't know what security measures they have in place, or what their security is. This is my personal- though knowledgeable- thoughts what may be going on behind the scenes.

Also, if the idea of the DDoS attack is scaring you in anyway- take a deep breath. It's going to be OK, even if my post may come across as dark (if so, I am sorry about that). It only meant to inform and educate Tumblr users on what is going on, and what might Ao3 may be doing. Do not panic just because of this post.

So, let's get started.

a. DDoS stands for distributed Denial of Services attacks. So that means the attackers is using multiple third party devices (such as other servers, botnets*) to make so many requests (think millions per minute) to the Ao3 servers that the servers use up all their resources, preventing us legitimate users from using them.

b. A slight side note- I've heard some people say that it's because of one person that Ao3 is down. It may just be one person, but setting up a DDoS attack is easier with a team. It is likely it is a group of attackers behind this- most attacks have multiple people involved in one form or another. This isn't the most relevant point I have, but just something people should know- there may be more than one attack.

c. To stop this attack, Ao3 is going to have to block all malicious traffic from reaching the servers. However, since this is a distributed attack, they are going to have to block multiple IP addresses. This is going to take some time.

d. We also have to consider if Ao3 has a response plan in place. Response plans are, as the name suggests, what the organization does in the case of an event. For ao3, that means who are they going to contact to fix this issue. But if there isn't a response plan in place already, it going to take longer for them to stop the attack because they're fixing this on the go- a difficult thing to do.

e. Once the attack has been stopped, it won't be over for Ao3, there are two more things they need to do- complete forensics to determine any possible damage to their servers and complete an After Action Review.

e1. While it is most likely that everything will be back to normal system wise after the attack has stopped, Ao3 would be smart to conduct forensics on their system to see if there are any anomalies (malware or indications of a breach). Attackers sometimes use DDoS attacks to cover their tracks when they hack into a system. Not likely here, considering the target won't have super sensitive information that an attacker wouldn't bother with trying to get. But the possibility is always there- however small.

e2. if they want to mitigate the risk of such attacks happening again- they need to complete After Action review (AAR). In AAR, Ao3 is going to have to look at what happened, and determine what they can do to ensure this doesn't happen so easily again. Hopefully, this means writing up or editing and improving their response plan, improving their security measures, etc.

f. Most importantly, your information is unlikely to be compromised. The most damage you will receive is not being able to access Ao3's servers. Ao3 has said that you don't need to change your passwords if you have an account. That being said, if you have a weak password, definitely change it anyway. (like I'm talking is you're using weak passwords. See the following link for what weak and strong passwords are: https://security.harvard.edu/use-strong-passwords )

That's what I have to say for now. Again, this post is not associated with the team at Ao3, I am independent and have no insider knowledge, just knowledge from being a security student. Ao3 will likely say more in the future, so keep an eye for it, and hopefully we'll be able to back to our fics.

If you have any questions about this attack or general cybersecurity, my asks are open, there are comments, and I will respond to them as quickly as I can. If you are in security, and I got something here, please tell me because I do not want to spread misinformation or cause panic.

Heard from your mother (she don't recognize you), I'll be waiting for you.

*compromised computers or other devices with internet connection with malware

How to Recover If Your Facebook Account Is Hacked? Easy Steps

In today's digital age, social media platforms like Facebook have become an integral part of our lives. We use them to connect with friends and family, share our thoughts and experiences, and even conduct business. However, the convenience of social media also comes with security risks, and one of the most common problems users face is having their Facebook account hacked. If you find yourself in this unfortunate situation, it's essential to act quickly to recover your account and secure your personal information.

In this comprehensive guide, we'll walk you through the steps to recover your hacked Facebook account, protect your data, and prevent future breaches.

1. Recognize the Signs of a Hacked Facebook Account

The first step in recovering your hacked Facebook account is to recognize the signs of a compromise. Common indications include:

Unauthorized login notifications: Facebook sends notifications when someone logs into your account from an unfamiliar device or location.

Unusual activity: Strange posts, messages, or friend requests that you didn't initiate.

Changed password or email address: If you can't log in because your password or email address has been changed without your consent, it's a strong indicator of hacking.

Locked out of your account: If you're unable to access your account due to suspicious activity, your account may have been compromised.

2. Immediate Actions to Take

Upon suspecting or confirming a hack, take the following immediate actions:

Change your password: If you can still access your account, change your password immediately. Make it strong by using a combination of upper and lower-case letters, numbers, and symbols.

Log out of other devices: Go to Facebook's Security Settings and log out of all devices to prevent the hacker from continuing to access your account.

Enable two-factor authentication (2FA): Set up 2FA to add an extra layer of security. This usually involves receiving a code on your mobile device that you'll need to enter when logging in.

Check your email account: Ensure that your email account associated with Facebook is secure. Change its password and enable 2FA if you haven't already.

3. Report the Hacked Account to Facebook

To report your hacked account to Facebook, follow these steps:

Go to the Facebook Help Center.

Navigate to the "Security and Login" section.

Click on "I think my account was hacked or someone is using it without my permission."

Follow the on-screen instructions to secure your account and recover it.

4. Recovering Your Hacked Account

Facebook provides a dedicated recovery process for hacked accounts. Follow these steps to recover your account:

Visit the Facebook Account Recovery page.

Enter your email address, phone number, or Facebook username associated with your account.

Follow the instructions to verify your identity. You may be asked to provide a photo ID or answer security questions.

Facebook will guide you through the account recovery process, allowing you to reset your password and secure your account.

5. Check for Unauthorized Activity

Once you regain access to your account, review your activity log for any unauthorized actions, such as posts, messages, or friend requests. Remove any malicious content and unfriend or block suspicious accounts.

6. Strengthen Your Account Security

To prevent future hacks and secure your Facebook account:

Regularly update your password: Change your password at least every six months, and use a unique combination of characters for each platform.

Enable two-factor authentication (2FA): Ensure that 2FA is enabled to provide an extra layer of protection.

Review app permissions: Periodically check which apps have access to your Facebook account and remove any unnecessary ones.

Be cautious with emails and messages: Avoid clicking on suspicious links or providing personal information in response to unsolicited messages.

Educate yourself: Stay informed about common hacking techniques and scams to protect yourself better.

6. Monitor Your Account

Continuously monitor your Facebook account for any unusual activity. Facebook offers features like login alerts, which notify you of any login attempts from unrecognized devices or locations. Stay vigilant and report any suspicious activity promptly.

7. Protect Your Personal Information

Remember that hackers target personal information. Limit the amount of personal data you share on your profile, such as your phone number, address, and birthdate. Adjust your privacy settings to control who can see your posts and personal information.

Conclusion

Recovering a hacked Facebook account can be a stressful experience, but by taking swift and informed action, you can regain control of your profile and protect your data. Follow the steps outlined in this comprehensive guide, and remember to prioritize account security by regularly updating your password, enabling two-factor authentication, and staying vigilant against potential threats. With these precautions in place, you can enjoy the benefits of social media while keeping your personal information safe from hackers.

For More Information - https://www.linkedin.com/pulse/how-recover-your-facebook-account-hacked-neha-kumari

More Articles -

Forty-one state attorneys general penned a letter to Meta’s top attorney on Wednesday saying complaints are skyrocketing across the United States about Facebook and Instagram user accounts being stolen, and declaring “immediate action” necessary to mitigate the rolling threat.

The coalition of top law enforcement officials, spearheaded by New York attorney general Letitia James, says the “dramatic and persistent spike” in complaints concerning account takeovers amounts to a “substantial drain” on governmental resources, as many stolen accounts are also tied to financial crimes—some of which allegedly profits Meta directly.

“We have received a number of complaints of threat actors fraudulently charging thousands of dollars to stored credit cards,” says the letter addressed to Meta’s chief legal officer, Jennifer Newstead. “Furthermore, we have received reports of threat actors buying advertisements to run on Meta.”

“We refuse to operate as the customer service representatives of your company,” the officials add. “Proper investment in response and mitigation is mandatory.”

In addition to New York, the letter is signed by attorneys general from Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, Wyoming, and the District of Columbia.

“Scammers use every platform available to them and constantly adapt to evade enforcement. We invest heavily in our trained enforcement and review teams and have specialized detection tools to identify compromised accounts and other fraudulent activity,” Meta says in a statement provided by spokesperson Erin McPike. “We regularly share tips and tools people can use to protect themselves, provide a means to report potential violations, work with law enforcement and take legal action.”

Account takeovers can occur as a result of phishing as well as other more sophisticated and targeted techniques. Once an attacker gains access to an account, the owner can be easily locked out by changing passwords and contact information. Private messages and personal information are left up for grabs for a variety of nefarious purposes, from impersonation and fraud to pushing misinformation.

“It's basically a case of identity theft and Facebook is doing nothing about it,” said one user whose complaint was cited in the letter to Meta's Newstead.

The state officials said the accounts that were stolen to run ads on Facebook often run afoul of its rules while doing so, leading them to be permanently suspended, punishing the victims—often small business owners—twice over.

“Having your social media account taken over by a scammer can feel like having someone sneak into your home and change all of the locks,” New York's James said in a statement. “Social media is how millions of Americans connect with family, friends, and people throughout their communities and the world. To have Meta fail to properly protect users from scammers trying to hijack accounts and lock rightful owners out is unacceptable.”

Other complaints forwarded to Newstead show hacking victims expressing frustration over Meta’s lack of response. In many cases, users report no action being taken by the company. Some say the company encourages users to report such problems but never responds, leaving them unable to salvage their accounts or the businesses they built around them.

After being hacked and defrauded of $500, one user complained that their ability to communicate with their own customer base had been “completely disrupted,” and that Meta had never responded to the report they filed, though the user had followed the instructions the company provided them to obtain help.

“I can't get any help from Meta. There is no one to talk to and meanwhile all my personal pictures are being used. My contacts are receiving false information from the hacker,” one user wrote.

Wrote another: “This is my business account, which is important to me and my life. I have invested my life, time, money and soul in this account. All attempts to contact and get a response from the Meta company, including Instagram and Facebook, were crowned with complete failure, since the company categorically does not respond to letters.”

Figures provided by James’ office in New York show a tenfold increase in complaints between 2019 and 2023—from 73 complaints to more than 780 last year. In January alone, more than 128 complaints were received, James’ office says. Other states saw similar spikes in complaints during that period, according to the letter, with Pennsylvania recording a 270 percent increase, a 330 percent jump in North Carolina, and a 740 percent surge in Vermont.

The letter notes that, while the officials cannot be “certain of any connection,” the drastic increase in complaints occurred “around the same time” as layoffs at Meta affecting roughly 11,000 employees in November 2022, around 13 percent of its staff at the time.

good post, one thing is that if you get a VPN from a company outside of the united states, especially in europe with GDPR laws, the states cant like request the info. or they can, but i dont think they have to give it to them. ALWAYS read the terms of service. My recs are Mullvad, Proton, and IVPN. They don't log anything(all have been audited multiple times), have gdpr laws to completely erase all data they do have you on request.

Mullvad doesn't even have usernames and passwords, it's just a login number, and you pay with cash mailed to them (or crypto, we all hate it but yes it's more anonymous than most, other payment methods also work)

A VPN however does not give you privacy, nor anonymity, nor security. It simply shields the IP that connects to things, which is useful when pirating content, getting around country wide blocking, and not much else. What you want is Tor, and it is NOT a honeypot, dear god dont listen to that tumblr post, it's a blatant misunderstanding about how Tor works.

no matter how much privacy, and anonymity you have, all of that is completely null as soon as you log in post the illegal stuff you're doing on social media.

Texting is also private if you're not doing it on a dogshit platform like discord, which doesnt even have E2EE (RCS, iMessage, Signal, Facebook messenger, fucking twitter DMs, almost everything has end to end encryption) I'd personally recommend Signal for casual texting and another app called "Session" if it requires extreme secrecy. Entirely end to end encrypted. decentralized, and routed through Onion Networks, no usernames or passwords to identify you in case some shit leaks. SimpleX is another app which is similar, and while it's not routed through tor, it has "forward secrecy" meaning if someone hacks in or whatever they cant see any of the past messages, only new ones.

Privacy in the modern age of the internet is possible, you just have to learn. dont listen to youtube VPN sponsorships and random tumblr posts saying that shit's a honey pot just. google things. look at things for yourself. be skeptical.

dont trust anything that i said in this post. or any tumblr post. look this shit up for yourself, see discussions in reddit communities, read the privacy policies, find online resources and organizations which advocate for privacy, and then look into those to make sure that things are actually good. dont spread misinfo.

I'm sure tumblr would never, but hey. No sense tempting fate.

Cybersecurity Nightmare: 16 Billion Passwords Leaked in Data Breach

In the largest credential leak in the history of the internet, cybersecurity researchers have uncovered a staggering 16 billion usernames and passwords exposed in a massive online data breach.  This colossal trove of sensitive data includes login credentials for some of the most widely used services in the world, such as Apple, Facebook, Google, GitHub, Telegram, VPNs, and even various government platforms.  The scale and organization of the leaked data have cybersecurity experts sounding alarms across the globe.

What Happened In the Biggest Data Breach? 

The breach was not caused by a centralized hack on a particular company.  Instead, it appears that the data is a massive, unsecured database of credentials gathered by infostealer malware. 

In total, the Cybernews team discovered 30 different datasets, each containing between tens of millions to billions of records.  According to Aras Nazarovas, a key researcher on the Cybernews team, the number and scale of these datasets point to a major shift in how cybercriminals operate.

 According to Nazarovas, 

The increased number of exposed infostealer datasets in the form of centralized, traditional databases may be a sign that cybercriminals are moving away from alternatives that were previously popular, such as Telegram groups. 

Cybersecurity researcher Bob Diachenko of SecurityDiscovery.com confirmed the findings and emphasized that although many users see names like Apple and Google in the headlines, these companies themselves were not breached.

There was no centralized data breach at any of these companies,” Diachenko stated.  “Credentials we’ve seen in infostealer logs contain login URLs to Apple, Facebook, and Google login pages.”

A Blueprint for Cybercriminals

Researchers warn that this is more than just another breach- it’s a blueprint for cybercrime at an unprecedented scale. With credentials neatly organized and searchable, attackers can now more easily launch:

Account takeovers

Identity theft

Targeted phishing attacks

Wire fraud

Ransomware attacks

"This is not just a leak,” researchers noted. “It’s a blueprint for mass exploitation… This is fresh, weaponizable intelligence at scale."

The credentials are not limited to one type of service. The leaked data includes logins for:

Social media accounts (Facebook, Instagram, Telegram)

Developer platforms (GitHub)

Email and communication (Google, Apple)

VPN services

Government websites

The exposure of such diverse data types indicates a lack of cybersecurity hygiene and highlights how pervasive infostealer malware has become.

Where Did the Data Come From?

According to the report, the databases were most likely compiled using various strains of infostealer malware.  These malicious programs infiltrate users' devices, extract login data, and send it back to a command center controlled by attackers.  The data is then compiled and, sometimes accidentally, exposed through unsecured cloud platforms.

The researchers found that most of these databases were temporarily accessible through unsecured Elasticsearch and object storage instances.  This means that they could have been discovered by anyone using a simple query or scanning tool.

“According to Cybernews, "unprotected databases continue to be the most common cause of data leaks." “Many organizations still don’t understand the shared responsibility model of cloud services.”

How Bad Is It?

To put this in perspective, the global internet population is estimated to be around 5.5 billion people.  Since 16 billion credentials were leaked, many people probably have multiple compromised accounts.

The fact that only one of the 30 discovered datasets had been previously reported shows how underreported and underestimated the infostealer epidemic really is.

That last dataset contains 184 million records.  Cybernews noted that this “barely scratches the top 20” of what their team discovered.

What Cyber Experts Say About This Data Breach? 

Here we have gathered some of the opinions of the industry experts: 

Darren Guccione (CEO, Keeper Security):

“This password leak serves as a timely reminder of how simple it is to accidentally expose sensitive data online. Guccione warned that this may only be the beginning.  He advised both consumers and businesses to invest in password management solutions and dark web monitoring tools.

Evan Dornbush (CEO, Desired Effect and former NSA cybersecurity expert):

“It doesn’t matter how long or complex your password is.  When an attacker compromises the database that stores it, they have it.”

 Dornbush emphasized the danger of password reuse.  If a user uses the same password across multiple services, a single leak could compromise them all.

George McGregor (VP, Approov):

“This kind of massive leak is the first domino, leading to a cascade of potential cyberattacks.”

 He went on to say that the leak "highlights what we already know," which is that hackers already have access to a lot of user identities.”

Javvad Malik (Lead Security Advocate, KnowBe4):

“Cybersecurity is a shared responsibility. Organizations need to protect users, and people need to remain vigilant.”

He encouraged users to use strong, unique passwords and enable MFA (Multi-Factor Authentication) wherever possible.

Paul Walsh (CEO, MetaCert):

Walsh took a different stance. He highlights that is not a shared responsibility: 

“That’s pure BS from security vendors who still don't know how to protect their customers from phishing attacks and then blame people for not becoming security pros.”

He criticized the failure of user education and advocated for a more technological approach such as zero-trust URL authentication.

What Should You Do?

If you're concerned that your data may be part of the leak, here are some immediate steps you can take:

Check your email and usernames on HaveIBeenPwned?

Use Google’s Password Checkup tool to find compromised logins.

Invest in a reputable password manager like 1Password, Keeper, or Bitwarden.

Enable multi-factor authentication (MFA) on all critical accounts.

Avoid reusing passwords across multiple sites.

Keep your devices protected with anti-malware software.

Organizational Responsibility

This incident also serves as a wake-up call for companies. Organizations should:

Adopt zero-trust security models

Implement privileged access controls

Conduct regular security audits

Educate their workforce on security best practices

Secure their cloud environments to prevent accidental exposures

Guccione summarized the issue perfectly:

“The fact that the credentials are of high value for widely used services carries with it far-reaching implications. It’s time for consumers and organizations to get serious about digital hygiene.”

Final Thoughts

The leak of 16 billion credentials is not just a wake-up call; it's a deafening alarm bell.  While tech companies, researchers, and governments work on long-term solutions, users must take action now to protect themselves.  Don’t wait for an identity theft notification or a drained bank account.

 Change your passwords.  Use unique logins.  Secure your devices.  And stay alert.  Cybersecurity is essential in today's world. It’s survival.

FAQ

1.  What is a data breach?

Data breach is a cybercrime in which someone accesses, shares, or steals your private information without your consent.

2. Can I check if I’ve been in breach?

You can check by using  HaveIBeenPwned, Google Password Checkup, or Firefox Monitor.

3. What happens if I’m part of a breach?

Your accounts across different platforms and banks might be at risk. Change passwords, activate 2FA and monitor everything. 

4. Is it illegal to breach data?

Data breaches are criminal acts in most countries, including the U.S.

5. What’s the safest password method today?

Using a password manager + 2FA. Even better if the site supports passkeys.

Cybersecurity Breach 2025: Over 16 Billion Credentials Exposed – What You Should Know

The Largest Digital Security Breach of 2025

Cybersecurity Breach 2025 officially is the largest digital security breach of the year, and potentially the largest in the history of the internet. Security researchers have identified that more than 16 billion usernames and passwords have been publicly leaked on the internet.

This leak is not like others where a particular company is getting hacked or leaked. This breach is a result of infostealer malware that agents have silently installed on millions of personal devices globally.

How the Cybersecurity Breach Happened

Instead of phishers sending emails, the infostealers collected login information from users for everyday life – unbeknownst to them – and then uploaded it to cloud-based databases on unprotected servers.

After that, anyone with minimal ability or resources could download credentials from these published or exposed datasets.

Affected Services: Major Platforms Compromised

Incredibly, this dataset included login credentials associated with global services that we all have used or reserved services, including:

Google

Facebook

Apple

GitHub

Telegram

VPNs

Government Accounts

The Alarming Scale of the Breach

In conclusion, that is scary enough, but the fact that the data is so ubiquitous and exposed in such an organized way is alarming.

The datasets were organized like a search tool to assist attackers in perpetrating attacks. The datasets give attackers preformatted login information to go after:

Identity theft

Phishing attacks

Ransomware attacks

And more

Cybernews Research Findings

Researchers at Cybernews identified at least 30 distinct datasets, many of which were completely vulnerable and unreported previously. This means the extent of the Cybersecurity Breach 2025 is most likely larger than what is reported above.

Why Everyone Should Be Concerned

Cybersecurity staff are sounding the alarm — these are serious security issues to contend with. No matter how strong someone's password is, it is of no use if the device is infected.

Even if someone uses the usual best practices, their data could end up in one of these databases.

Expert Recommendations to Stay Safe

Here are the top 5 tips from cybersecurity experts:

✅ Check your email account using trusted resources like HaveIBeenPwned

🔁 Change re-used passwords

🔐 Turn on Two-Factor Authentication (2FA)

📲 Consider a password manager

⚠️ Be mindful of what you click

A Wake-Up Call for Individuals and Organizations

This breach is a wake-up call not just for social media or email users, but for organizations. All organizations need to:

Implement zero-trust policies

Secure their cloud infrastructure

Educate employees on cybersecurity

Regularly audit their systems

…so future disasters like this can be avoided.

Read the Full Blog to Learn More

This blog will critically analyse:

What caused this global breach

What experts are saying about it

Who might be a victim

And importantly, what you can do immediately to protect yourself and your digital life

👉 Don't ignore this warning – read the full blog and be informed and secure.

Cybersecurity Nightmare: 16 Billion Passwords Leaked in Data Breach

Hello, online pioneers! If you've been kicking cybersecurity issues down the road as "I'll get to that later," you have a massive data breach to thank for kick-starting that process. An astounding 16 billion usernames and passwords have entered the wild field -- a monumental credential theft of historic proportions in internet history.

What Accounted for This Massive Data Breach?

This massive data breach does not stem from a single company's disaster. It's an enormous collection of credentials extracted from infostealer malware dumped into imperfect and unencrypted databases. The Cybernews investigation team identified over 30 datasets and extractions - some with millions, and some filled with billions of records. As Aras Nazarovas, the lead investigator puts it, "The rapid availability of exposed infostealer databases in a historically centralized database could indicate that criminals are moving away from other methods of data sharing that they typically use (ie. telegram groups etc.)."

Bob Diachenko from SecurityDiscovery.com, reassures us that there were no direct breaches to be found among the technical giants like Apple or Google. "While we have never seen a breach centralized at any of these companies, all of the credentials we saw in the infostealer logs always had Apple, Facebook and Google login pages," he said.

The Criminal’s Toolbox Unleashed

This is not simply a leak; it’s a toolbox for cybercriminals. They can strike in any of the following areas with the credentials they gained access to:

Tax return deposits

Account takeovers

Identity theft operations

Phishing operations

Wire fraud operations

Ransomware operations

Experts are setting off alarms: “this is more than a hack, this is a blueprint for criminals to exploit multiple victims en mass... this is new, weaponized intelligence and at scale.” The data breach exposes a haphazard distribution of logins for social media (Facebook, Instagram, Telegram), developer tools (GitHub), email services (Google, Apple), VPNs, government services, even influencer courses, materializing in how fragile security is in place and a path for abuse has been created.

Where Did This Data Origin From?

The culprit? Infostealer malware. These are the persistent apps that permeate devices, obtain any stored logins, and send that data into the dark web. At times, it may find an alternative yet exposed path residing in unsecured cloud environments. Cybernews traced the source of this breach to insecure Elasticsearch repositories and object storage systems which are unsecured and easily scanned with tools that are freely available. "Unprotected databases are still the leading cause of data breaches," they warned. "There are still a few organizations who are unaware of shared responsibility when leveraging cloud services".

The Depth of the Damage

Here is the reality: 5.5 billion people are online but there are 16 billion credentails in circulation, which means multiple accounts/person is at risk. Even worse, only one dataset of 184 million records was flagged prior to this report - which indicates there has been passive infostealer event spreading among end users. Cybernews admits they have "only scratched the surface in the top 20 of [their] findings."

What are Cybersecurity experts are saying about this data breach

Here is what the pros are saying:

Darren Guccione (CEO Keeper Security) , stated, "This password leak is a very real example how easy it is for sensitive information to inadvertently become public on the Internet." Guccione's recommendations are password managers, dark web scans.

Evan Dornbush (CEO Desired Effect, formerly the NSA) stated, "It does not matter how complex or long your password is. One time no matter the strength of the password you utilized, when an attacker accesses the database that we trusted our password and therefore our identity to, they have it." Evan's recommendation is not to reuse passwords.

George McGregor (VP Approov) stated, "A data breach of this magnitude, in my experience, is usually the first domino to fall leading to multiple cyberattacks," and the hacker will use the users' identities as bait.

What You Can Do

If you feel uncomfortable about your data, then consider doing the following:

Check for breaches at HaveIBeenPwned? for breaches on your email / usernames.

Use the Google Password Check-Up to see to see if your logins might be compromised.

Use a well-known password manager (1Password, Keeper, Bitwarden, etc.)

Enable multi-factor authentication (MFA) on as many of your most important accounts as you can.

Do not use the same password across various sites.

Use an anti-malware app to secure your devices.

What Corporate Leaders Can Do

This data breach is a clapperboard for companies. They must:

Employ a zero-trust security model.

Utilize privileged access controls.

Audit their security culture - all of the time.

Educate their employees on simple security best practices.

Protect their cloud from accidental exposures.

Darren Guccione says, "The significance of those credentials being from highly known, ubiquitous services cannot be overstated. This should be a wake-up call for consumers and enterprises alike to incorporate good digital hygiene practices."

To Sum Up

The 16 billion credential breach isn't just a tap on the shoulder, it is a wake-up call. While the tech innovators, researchers, government officials and others race to solve this breach for you, you need to take action now and move with immediacy to avoid being a victim of identity theft or empty accounts. Change your passwords, use your unique username or log in, secure your devices and you are in control. In the wilderness of today's cyber frontier, cybersecurity is no longer an option - it's essential.

Frequently Asked Questions

What is a data breach?A data breach is a crime of a cyber- nature, when a hacker will obtain, disseminate or steal your private information without authorization.

How would I know if my data has been breached?You can find out if you have been breached by accessing services like HaveIBeenPwned, Google Password Checkup, or Firefox Monitor.

What if I have been breached?If you have, your accounts are likely at risk for compromised passwords or bank accounts. Again, please do as instructed - reset, change your passwords, and use 2FA and check everything afterwards.

Is breaching data a crime?It is a crime to breach data, it is nearly universal throughout the world, especially the USA.