How to Tell If Your Login or Passwords Have Been Stolen

Major sites get breached all the time—don't find out you've been hacked the hard way.

By Ryan Hilary

The dreaded "login leak," in which hackers steal the login information of thousands of users of a particular website, is becoming a staple of the internet age. Check the news and you’ll find reports from the last year alone of hackers breaking into half a dozen sites—including Myspace, Target, and Linkedin—causing these sites (and others) to lose control of millions of users’ login credentials.

The problem is something of an epidemic, but unless you’re actively reading tech news about major data breaches, you might not have heard about many of the intrusions. Businesses are eager to avoid the embarrassment of admitting that their security systems have been compromised, although many do so anyway. For example, Twitter recently contacted each affected individual directly following a million-user data breach.

It's important to be cautious (without freaking out). Many of us have complete online personas linked to our physical addresses, including contact information, finances, and maybe even social security information. At best, your sensitive information may be sold to telemarketers or spammers. At worst, cybercriminals could gain access to your finances or steal your identity. Hackers may even take control of your computer.

Step 1: Do Some Googling

But given the millions of people affected by major security breaches, how can you tell if your specific information has been leaked? And what can you do about it?

You could start by running a Google search to see whether any site you use has suffered a leak. But that's hit or miss, time-consuming, and even if you find reports that one of them has been hacked, that doesn’t mean that your information was actually compromised.

Thankfully, the internet tends to fix as many problems as it causes (in the video below, imagine Homer saying "internet" instead of "alcohol" and you get the idea). Here are some tips to help you stay on top of cybersecurity.

Step 2: Find Out if You've Been Leaked

The simplest way to determine whether your information has been leaked is to visit haveibeenpwned.com. Yeah, it has a weird name (pwned comes from hacker jargon that refers to "being owned"), but it works, it’s free, and it doesn’t require you to sign up for anything.

Image: Ryan Hilary

Just type in your username or email address, and the site quickly searches the list of known breaches, reporting back to you whether you’ve been compromised and (if so) through which site. You don't need to provide any passwords or other sensitive information to this service.

Step 3: Double Check at LeaskedSource

Another option is to use leakedsource.com. Both sites do more or less the same things, but they provide dual coverage—so if one site misses something, the other may not.

Image: Ryan Hilary

A quick search of my own email address revealed that I’ve had information breached at Adobe, Myspace, Last.fm, Linkedin, and Dropbox. Yikes! What do I do about it?

Step 4: Change Your Passwords Immediately

The first thing you should do is to change your compromised password right away.

Next ask yourself, "Did I reuse that same password at any other sites?" If so, change the password there as well—and this time use a different password at each site.

One of the best rules of online security is, Make every password unique. That way, if one site is compromised, your other logins remain safe.

Juggling dozens of different logins can be a major inconvenience, of course. Thankfully, you can turn to a program designed to manage multiple passwords in a convenient way. For more on this topic, check out Choose a Password Manager to Protect Your Security.

Here's a little tip: If you use a password manager like LastPass or Dashlane (and you really, really should) these programs can warn you if you're re-using then same password on multiple sites.

Step 5: Make Yourself Safer for the Next Breech

When creating a new password, follow the advice of security experts to ensure that you choose the most secure options available.

Your new password should be 12 characters long. It should contain letters, numbers, and symbols (such as ! or ?), and it should not refer to any other information that hackers might easily access or guess. For example, don't base the password on your name, address, phone number, or pet's name.

And once you devised a secure password, let a password manager program remember it and its fellow passwords from your other login sites.

After changing your passwords, occasionally revisit haveibeenpwned.com (or a similar site) to confirm that your login information remains secure. By staying vigilant and working to understand the threat, you can give yourself maximum protection against cybercrime.