More than 16 billion passwords have been stolen from government platforms and popular tech companies like Facebook, Google and Apple, according to a report out last week from Cybernews. The massive data breach generated headline after headline from media outlets, causing concern among users who questioned whether their data may have been compromised. 

However, these passwords have probably been accumulated over many years, maybe even decades, which means this isn’t a “fresh” batch of data, explained Chester Wisniewski, director and global field chief technology officer at the cybersecurity company Sophos.

Cybercriminals collect stolen passwords, then swap and trade them with other criminals, he said. So a cybercriminal might own a stolen database with 2 billion credentials, then add 2 million when a data breach happens. They might sell this data to a friend, who then adds another 5 million passwords when yet another data breach occurs, Wisniewski said. 

“It's like a giant snowball rolling downhill, and it slowly gets bigger and bigger and bigger,” Wisniewski said. 

Some of these login credentials might also be duplicates, inflating the total number of passwords that are in these datasets. That’s advantageous for criminals because if they want to sell their data, they can make it sound like the number of stolen passwords is bigger and scarier than it really is, he said. 

“There’s a burgeoning black market in collecting and selling this stuff to harm your identity,” Wisniewski said. 

But while these passwords may have accumulated over time, people should still learn cybersecurity best practices. “Consider this a universal wake-up call,” said Amanda Fennell, a professor of cybersecurity at Tulane University.

News about breaches often triggers “opportunistic attacks,” which means people should be mindful of phishing scams, Fennell said. Phishing is a practice where seemingly reputable forms of communication, like emails and texts, are sent to users in an effort to get them to reveal sensitive information. 

“Always go directly to the official website, never click suspicious links in emails or texts,” Fennell said. 

While data breaches are constantly making the news, users should feel empowered to protect their information, Wisniewski said.

“I worry about people becoming complacent because they're constantly getting notified that their information has been stolen,” Wisniewski said.

To find out if your login credentials have been stolen, you can check out the site Have I Been Pwned. To ensure your data is safe in the future, Wisniewski recommended the following based on your level of tech knowledge:  

1) If you’re tech-savvy, enable multi-factor or two-factor authentication whenever it’s available, Wisniewski said. MFA (like TFA) is a process that requires you to verify your identity beyond just your username and password. You might have to provide a fingerprint, enter a PIN number, or enter a security code that expires after a set amount of time.  

It’s like how ATMs will require you to both insert your ATM card and enter a PIN number, Wisniewski said.

Some big tech companies like Facebook and Google are moving toward passwordless authentication, which people should consider adopting, especially if you own a small company, Wisniewski said. 

“Criminals aren't too interested in Aunt Maggie's Instagram, but they are really interested in a small business’ Instagram,” he said. 

This authentication method requires you to verify your identity using means other than a password, like facial recognition or fingerprints, using a device of yours, like a smartphone.  

2) Those who are less technically savvy should consider using a password management tool, like 1Password or Bitwarden, Wisniewski said. A password manager creates and stores passwords for all your accounts, which you can access using one pass code. 

“When one website is broken into, the criminals can't suddenly have a skeleton key and unlock all your accounts, so that helps,” Wisniewski said.

3) Those who are the least technical savvy should consider just writing down their passwords in a book, Wisniewski said.

“My mom didn't really even start using a computer until she was 70, and she knows how to do basic things, but isn't technical. A password manager is too complicated for her,” Wisniewski said.

Wisniewski said while some people make fun of others for writing their passwords down, they shouldn’t be shamed for doing so. 

“It’s perfectly fine. Nobody breaks into your house to steal your password list. I've never heard of that crime,” he said.