Should You Be Worried About Breaches?

Good question. The answer is absolutely yes.

It might seem like a no brainer, but there is a bit more to this than meets the eye. Breaches occur for a variety of reasons, and the information that is stolen or compromised usually varies as well. Sometimes it's just contact information such as emails, names, phone numbers, or addresses. In the worst case, it involves all of the above as well as your password or credentials visible in plain text, no obfuscation or encryption to be seen. In those instances, it's less about being worried, and more about changing that password anywhere and everywhere you might have used it before it becomes a skeleton key to all of your accounts.

Another type of  it might involve your email address and a version of your password called a "hash", which is where the answer to the original question becomes more complicated. Essentially, a hash is your password, except it's not ACTUALLY your password. It's scrambled using an encryption algorithm, and the key to decode that encryption is kept by the site so that the only times the password are in plaintext are when it's being used to authenticate a user. This means that, even if the attackers have access to the hashes, they won't have access to your password unless they manage to guess or steal that key to decrypt the hash.

So, in a way, that's good news. Most websites these days make use of hashes for passwords as a bare minimum, which is at least better than losing a collection of plaintext passwords in a breach, but it is still not ideal. There are different standards of encryption for hashes, with some being weaker and very easy to crack, and others being stronger and much more difficult to crack. Depending on what algorithm they use, a hash might be more cosmetic than functional, meaning that a breach that includes the hashed password is effectively a plaintext breach.

There are other methods for companies to protect the passwords they store, such as salts, which just reinforce the strength of the encryption and add a layer of complexity to make cracking it that much harder. As a consumer, you're not in control of how companies operate, so much of this is out of your hands. All that you can really do is make sure to pick services that operate with a security-oriented mindset, and make sure that you take every precaution on your end to prevent a breach one place from also impacting you in other places, too.

Our recommendation? Don't reuse passwords, and if a service you use is breached, change your login information immediately, even if you don't think that you need to. It's never worth the gamble, and it can save you from major headaches in the future.