The number of data leaks reported in recent months has been increasing, and with that more and more of us are likely to be feeling alarmed. As major sites such as Facebook and LinkedIn – as well as more recent competitors such as Clubhouse – fall foul of scraping and dumping of user details, we’re all beginning to wonder about the long term ramifications of ending up on a list of breached account details.
Many of the leaks reported in recent months purport to be months old, which may make some think that they’re impervious to attacks launched using them as data ages out of importance and becomes less relevant. But is that false confidence?
Should we be worried about leaked data, whenever it’s from? Does it matter whether your username and password from seven months ago or seven years ago is posted online? Does your leaked personal data have an expiration date beyond which you don’t need to worry about it being shared?
The short answer: No
In a nutshell, any data leak is a major incident and should be treated as such – no matter how old the information is. The Facebook data leak was reported as a major incident because of its size, despite the fact that the data contained dates back several years. And it’s still a concern because any kind of information cybercriminals can leverage over users is a weapon in their arsenal, and one which they can use to launch attacks against vulnerable victims.
It’s also the case that many users simply won’t update passwords or login details, even if they’ve been breached and discovered in a leaked database. Convenience is king for too many people, and changing a password to an account is seen as less important than ease of access to online services.
For those reasons, your personal data often doesn’t have an expiration date – especially if we’re talking about usernames and passwords. Of course, you could change them, which would invalidate them, but just because you’ve changed the password on that one account, doesn’t mean you have on all your accounts. Leaving one of these passwords unchanged could provide an in to a hacker looking to gain access to your data.
You can change passwords, not dates of birth
The other reason why any data breach – no matter how old – is dangerous, is because the type of information that is often contained isn’t necessarily something you can change. While passwords can be swapped out if they’re found to be vulnerable, the leaking of your date of birth, social security number, or any other kind of personally identifiable information (PII) that is permanently attached to your offline existence is less easy to alter.
Leaked personal data such as this is a gold mine for cybercriminals, and is something that is impossible to defend against or prevent. Once your date of birth, your address, or your private details are leaked, they’re out there almost permanently.
And even if your password isn’t, that kind of information is often enough to be able to access your account anyway – it may leave vital clues or breadcrumbs that allows hackers to answer security questions that enable them to gain access to your information. It’s for that reason that if any of your data has been breached – no matter how small or insignificant you think it may be – you take prompt remedial action to try and secure all your accounts. That includes those that you may no longer use. So what can you do? Add two-factor authentication, create a strong password, and be on the lookout to try and spot any attempts to access your personal information, being ready to head off the issue before it becomes too significant.