(Credit: ProStockStudio/Shutterstock)

In a way, online security has its own circle of life. People create website accounts with bad passwords and no authentication checks, they get hacked, experts explain how you can protect yourself, some people listen, but we eventually circle back to old habits, and the cycle begins anew. But perhaps with over 20 million passwords now out in the wild, internet users will begin taking their personal online data more seriously.

This week, security guru Troy Hunt encountered a staggering trove of 21,222,975 passwords and 772,904,991 that was briefly available on the MEGA cloud storage service and dubbed "Collection #1." This completely dwarfs any publicly known database of stolen login credentials -- and we hope it stays that way.

SEE: Best apps for securing Android and managing privacy settings

Although the 87 gigabyte download has been removed by MEGA administrators, it was definitely downloaded multiple times and is presumably floating around now on BitTorrent and the dark web. Your passwords, email addresses and other data are now exposed to a degree that the public has not seen before, which means it's high time for you to check your danger level.

Step one is to take a pit stop at Have I Been Pwned, a free site that can check your email address against a database of its own, to see if either your email or your password has appeared in any known website breach. As Hunt points out, this website also offers a notification service to let you know about future breaches where your email address has surfaced.

If this website shows you a list of past breaches involving your email address, and you care at all about the accounts on other websites where you've used that email or password, we recommend changing those passwords as soon as you can. Even if you don't care about those accounts, you may want to also check if you have given them personal data like your home address, phone number, or credit card info.

Get a password manager app or web browser extension

Next, you should probably be using a password manager. This usually come in the form of a browser extension or a mobile app. Bitwarden (download for iOS or Android), LastPass (download for iOS or Android), and 1Password (download for iOS or Android)are all generally recommended.

With these, you only need to remember your master password. The manager can generate all your other passwords and remember them for you. Instead of typing them in, you give the manager your master password, look up the password you want to use, and click or tap on that entry to paste that password into an entry field in another app or website. This process requires more steps, but you get much stronger passwords as a result.

Plus, each of these managers has a function to check if one of its passwords has surfaced in association with a data breach.

FOLLOW on Twitter for all the latest app news.

Get on board with app-based two-factor authentication

However, as we've seen with the enormous data breach that Troy Hunt discovered, even good passwords can be intercepted by clever hackers, in which case you should add another layer: app-based two-factor authentication, or 2FA. Not all services are compatible with the app-based version of this security system, but we strongly recommend taking advantage when the opportunity presents itself.

With an app such as the Google Authenticator (download for iOS or Android), you get a six-digit code that's discarded every 30 seconds. Because of a clever time-based synchronization system, your app and the website you want to access can coordinate without needing to talk to each other. This prevents a bad actor from intercepting a code that would otherwise be sent to you via SMS text message.

When you access a service that has 2FA enabled, just enter your account name and password like usual, then the service will ask you to get the code from your app. Then enter that code, and you're in. Since only you and the service will see this code, and it's discarded every 30 seconds, a hacker will have a very hard time getting in, even if they have your account name and password.

Granted, it can be a drag to unlock your phone and grab a 2FA code from an app every time you want to log into something on another device. But after a while, you may come to appreciate the peace of mind. You're still not guaranteed to have everything locked down, but these days, being online without app-based 2FA is looking a lot like driving without a seat belt.


  • Security expert Troy Hunt stumbled upon an enormous collection of over 21 million stolen passwords on MEGA this week, by far the largest publicly known data breach so far. (The database has since been taken down.)
  • Internet users are highly encouraged to use Have I Been Pwned, a password manager, and app-based two-factor authentication to protect their online accounts.

Read more

Tom McNamara is a Senior Editor for CNET's He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer,, and He's also unreasonably proud that he's kept the same phone for more than two years.