Password Security For Everyone — The First Step to Staying Secure
On June 18, 2025, Cybernews researchers Aras Nazarovas and Bob Diachenko discovered thirty datasets containing a total of 16 billion exposed records across several online platforms. Records across the datasets include usernames, passwords, cookies information, tokens, metadata, and more. According to Cybernews researchers, most of the information in the datasets was collected using infostealers, credential stuffing attacks, or was exposed in previous data breaches and leaks.
This is not a data breach; this is a discovery of information that had most likely already been in circulation, was collected by some entity, and was repackaged into datasets that were exposed on the internet (BleepingComputer). The information could have been collected for legitimate reasons, like research, or could have been collected for nefarious purposes. Now, it is unclear who owns the exposed data sets.
Regardless of why the information was compiled, Cybernews warns that unnecessarily compiling sensitive information can be extremely damaging to a company or individual. Even if the discovered datasets had been collected for legitimate purposes, unintentionally leaking the data contained in the set can be devastating for those whose information is compromised.
While one large data breach was not responsible for the leaked credentials, the security event is still massive and calls to attention the importance of good security hygiene, both on a personal and professional level. A significant portion of the leaked information was obtained using infostealers, which are pieces of malware that are designed to steal information, such as credentials and credit card numbers, from an infected device. Infostealers are often used in conjunction with other malware, and are spread through phishing emails, malicious websites, malvertising campaigns, and infected software downloads (Proton).
Infostealers have been a pervasive challenge recently. On June 23rd, 2052, HyVee had 53GB worth of sensitive data stolen by the Stormous Ransomware Group. The stolen information included Atlassian account credentials, employee information, customer information, infrastructure diagrams, and more. The attack was fueled using infostealers, with over 50 infections on Hyvee employee devices. The infostealers on infected devices enabled the group to harvest Atlassian credentials, which were then used to access and steal other critical information. Stormous released a list of the information they stole, giving HyVee a 4-day ransom period. If HyVee fails to pay the group by the 4-day deadline, the information will be leaked onto the dark web.
These security incidents highlight the importance of great security posture and hygiene in the workplace and in personal life. Attackers can target anyone; only adopting great cybersecurity habits at work or at home will not suffice. Luckily, there are some easy practices you can adopt as a business or as an individual to greatly reduce your risk of falling victim to a bad actor’s schemes.
Why Should You Care About Information Security?
With stolen credentials, attackers can access sensitive business information, hold accounts and information hostage, impersonate you, send convincing phising messages to your contacts, track your online activity, sell your personal information, and more (Cybernews). If passwords are repeated across platforms, attackers can act across multiple accounts.
Any of these actions can lead to severe consequences for you or your business. If an attacker holds your accounts or information for ransom, you may need to choose between paying the attacker whatever amount they request or losing your information (such as in the HyVee case). For a business, either choice means financial loss, lost time, and loss of customer trust.
If an attacker gains access to your bank account and can impersonate you, they can drain accounts or make illegitimate purchases in your name. Should an attacker send phishing messages to your contacts from a legitimate account (such as through your Facebook Messenger or Instagram direct messages), your friends are likely to be taken advantage of, too. Lastly, if an attacker gains access to personal information like your date of birth and social security number, they can use that information to open credit cards and bank accounts or enroll in government programs using your identity.
The consequences of leaked credentials can be calamitous on a personal and business level. Recouping from identity theft is a stressful, expensive, and long process, whether you are an individual or a business. Practicing strong security hygiene is vital to avoiding attackers’ reach—the extra effort spent securing your information will be well worth avoiding the catastrophe security incidents can cause.
What should you do next?
Use Strong Passwords:
The first and most simple step in practicing security hygiene is to use strong, unique passwords across platforms. Reusing passwords allows hackers to access your accounts across multiple platforms, should they learn what the reused credentials are. According to NIST, the most important piece of a strong password is length. Aim to create a password that is 15 characters or more. At the current average capacity, guessing all possible combinations of 15 lowercase letters would take an average computer over 500 years to complete. The time it takes to guess all character combinations increases as complexity elements are introduced, like uppercase letters, numbers, and non-alphanumeric characters.
Use Passphrases:
Many people are understandably hesitant to use unique, long, and complex passwords. After all, who can possibly remember a separate 15-character password for every online platform they use? NIST suggests using “passphrases” in place of passwords. An example of a simple passphrase may be “hello lamp giraffe”. It is 16 characters long, funky enough to be easily remembered, and random enough to be hard to guess. When creating passphrases, be careful not to include personal information, or information that would be easy to guess!
Use Password Managers:
Passphrases can cure the problem of remembering passwords in some capacity, but human brains are not computers meant to store passwords and passphrases for every platform we have credentials for. Luckily, tools exist that are meant to help solve this problem. Password managers, like Keeper and Bitwarden, can store passwords in a secure central location, and usually come with the ability to generate new random passwords and passphrases. Some password managers offer dark web monitoring and will notify if one or more of your passwords has become compromised (although, this sometimes comes with an additional cost).
Note: you can visit websites like Have I Been Pwned to see if your information has been part of any data leaks that may have led to compromised credentials. It is free to use and very informative!
Use Physical Security Keys:
Using FIDO2 physical security keys, such as Yubikeys, is a great way to ensure account security. FIDO2 keys require physical input to log into an account—for example, a Yubikey requires that you plug the device into your computer, touch it, enter a passcode, take the device out, reinsert, then touch it again to access your account. The process is involved and requires that you are physically present (able to insert, touch, reinsert, touch), and that you know a passcode to access the account. They are incredibly secure and a great way to keep your accounts attacker-free.
Use Multifactor Authentication (MFA):
MFA requires that a user have 2 or more forms of identification before being granted access to an account or information. As an example, these 2 forms of authentication can be a password and the Microsoft or Google Authenticator app. Some password managers offer the ability to act as an authenticator app, as well. With MFA enabled, an attacker will have a much harder time gaining access to your accounts and information since their login attempt will be intercepted and requires input from an independent device. You will also receive a notification, which will alert you to any suspicious login attempts.
NOTE: SMS messages and emails are frequently offered as options for MFA. SKB Cyber advises against using SMS or email authentication, as they can both be easily intercepted. Using a dedicated app or a physical security key is much more secure and reliable.
Education and Awareness:
In a business setting, educating employees on good security hygiene should be non-negotiable. Many infostealers are delivered via emails and infected downloads, which are frequently delivered as parts of social engineering attacks. Educating employees on how to avoid falling victim to social engineering attacks (and how to practice good security hygiene in general) can greatly reduce your business’s chance of becoming a victim.
Security should be baked into the policies and culture of a business. If a business has a culture of security, mistakes like clicking on a malicious link or leaving passwords written on a sticky note on a desk are much less likely to be made. Most cybersecurity practices that an individual can employ at work can also be applied in personal life. Overall, education and awareness is the first step in creating a more secure technology environment for everyone.
For more information or for help securing your environment, reach out to skbinfo@skbcyber.com, or fill out our contact form at skbcyber.com!