Here’s What Happens When Your Data Is in the Hands of a Russian Hacking Collective

A data fog.

Revelations on Tuesday about an enormous trove of stolen personal data collected by a hacking group in Russia has been making news for its sheer enormity. The New York Times and security firm Hold Security LLC report that the group has 4.5 billion sets of usernames and passwords.

There are questions about the report, though. First of all, Hold Security isn’t disclosing any of the 420,000 websites that the Russian hackers got data from. Instead, the company is offering a service for $120 that allows people to check whether any of their data has been compromised—which seems unattractively mercenary, given the magnitude of the situation. Additionally, Hold Security doesn’t really make it clear how much of the data was originally stolen by the Russian hackers as opposed to being purchased on the black market. This distinction is important, because if the hackers have just been buying up old login credentials, there’s less of a danger that the credentials will work.

Strangest of all, the Times reports that the hackers are mainly just using the credentials to hack social media accounts and spam them. Which is weird, because when criminals steal valuable things, they usually try to sell them. Or if they steal things that give them access to money they take the money. So maybe the credentials aren’t that valuable on their own.

Whatever is going on, though, the sheer enormity of the dataset makes it possible that the hackers could apply analysis to extract unusual information. For example, the credentials include 542 million email addresses, which might mean that the hackers can find multiple passwords associated with a single email address within their data, and start making more educated guesses about the types of passwords a given user tends to use.

Think about it. In the wake of information about the Heartbleed vulnerability you probably changed passwords on affected sites (you did, right?), but maybe you also still use some of those old passwords on other accounts that weren’t affected and therefore didn’t get changed. The fact that the Russian hackers have old data doesn’t necessarily mean it’s not useful since they have so freakin’ much of it.

So we’re all definitely screwed, right? Not totally! The issue here is that the traditional cybersecurity system relying on just usernames and passwords isn’t enough anymore. The key is adding extra layers of protection. Using a password manager, or at least randomly generating strong passwords, eliminating duplicate passwords used on multiple accounts, and adding two-factor (or multi-factor) authentication everywhere it’s offered are all readily available steps that can help you protect yourself.

Whether or not this turns out to be a historic hack, it’s certainly raising awareness about how important personal cybersecurity is. And it’s giving us a sense of scale of just how much data hackers can collect. As it turns out, quite a bit! But what exactly they’ll do with it remains to be seen.