Is old leak data still a problem for my accounts?

We explain why older leak data is a security risk, the dangers of forgotten accounts, and why security awareness is important when dealing with old leak data.

Reading time:
7 min
Is old leak data still a problem for my accounts?

“Oh, that’s all water under the bridge, nobody cares about that old data anymore,” is a statement you often hear from IT professionals. But this is a false conclusion. Older leak data is not irrelevant - on the contrary, it is very relevant! In this blog post, we therefore want to discuss the importance of old leak data.

The relevance of historical data

We are often asked how up-to-date our leak data is, with the comment that older data is not so relevant. Of course our data is very up to date, but we also provide information about old leak data. In this article we want to briefly explain why we do this and why we think it makes sense.

Even old data is still up to date

Just because old leaked access data has not yet been used by criminals does not mean that this cannot happen today or tomorrow. This is as true as it is banal: If I have always used my e-mail address with the same password, but unfortunately this data was leaked a long time ago, I may simply have been lucky so far. Basically, however, it is not a question of whether my account is under threat but actually only a question of when it will be actively attacked. Once a username and password combination has been leaked, like almost everything on the Internet, it can no longer be “caught” and is copied and shared without control. The number of criminal activities on the internet, including the sharing of such leaked data, is increasing steadily and a complete digital identity is usually attached to an email account in particular. Attackers are aware of this and are happy to exploit such an easy opportunity. This means that deceptive security can turn into a very unpleasant reality tomorrow.

1000 platforms - 1000 accounts - 1000 passwords?

Of course, as user, you are usually not really registered on 1000 platforms. But well over 100 accounts on different platforms can quickly add up. It doesn’t take long to sign up for a trial subscription to a newspaper using your email and password. However, you often don’t even have to sit at your desk at home to create a new account: I once created a customer account in a specialist shop for pots and pans before Christmas, just to save 10% on my purchase. If you allow yourself to be duped into doing something like this, you don’t look for your password manager in situations like this. This wouldn’t have helped me either, as the login is done via the shop’s tablet. And who wants to type in a 16-digit password?

With so many accounts and login options, it can quickly become difficult to keep track of everything, let alone set a new password for each account. It is therefore all too human to reuse passwords and forget accounts.

The danger of reusing passwords

With the amount of accounts that are all too easy to collect, passwords are often simply recycled. It is therefore not uncommon for old passwords to reappear on desks, even in a professional context. The same password is often not only used on different services, but also repeatedly over time at the same service, if one is forced to change your password.

How does this come about? Many companies have password guidelines according to which the company password must be changed every three or six months and a password may only be used again after 6 changes (i.e. in approx. 3 years). However, such regulations can lead to passwords rolling through and a password from 3 years ago being used again. In such a case, a leak that is 3 years old is of course worth just as much as a completely fresh leak.

But such password policies are not only common practice in a work context. Nowadays, there are also some websites for customer accounts where the reuse of the last passwords is prohibited when a new password is set. Depending on how strict the password guidelines are on these sites, a number, usually 1, or a special character, usually !, can simply be appended to the previously used password. In such cases, it is in any case very easy to guess the new password on the basis of an old password.

Forgotten and external accounts

But it is not only the reuse of passwords that is relevant. Old leak data can also contain access to accounts that you have already forgotten. Presumably very few Internet users have an overview of all the services they have ever used. If your own email address appears in connection with a password that you do not immediately recognise, this may well be an indication of an old forgotten account for which you have used the corresponding password.

Regardless of whether passwords are used on several platforms, are used repeatedly over the years or belong to forgotten accounts: Criminals can use this data to log into accounts and to take it over. Often it is not only the actual owner of the account who suffers, but the entire platform suffers from a loss of trust from customers and users. An old account probably has a higher reputation than a newly created one and can therefore be particularly interesting for fraudsters to target victims. For a spammer, an old account with many links on a community platform can be the best basis for a spam campaign. Last but not least, an old account still contains personal data that an attacker can use to take over other accounts or launch phishing attacks against the actual owner.

Security Awareness

In addition to the technical aspects described above, there are also awareness aspects that are interesting in connection with leaked data. First and foremost, phishing and social engineering.

Phishing attacks

Phishing is generally understood to be the sending of scam emails to make consumers click on dishonest links or send advertising material. If an email address appears in a data leak, there is a very high probability that this email address will be used more frequently for phishing campaigns, simply because this email address is already easily available and verified in lists. This means that even if all passwords have already been changed, users of the leaked data should exercise particular caution when processing their emails.

Social Engineering

Social engineering is a collective term for various techniques used to gain the trust of a target person in order to induce them to take unsafe actions. This is usually done with information about the target person that is obtained beforehand by the attacker. Access data that is no longer up to date also allows conclusions to be drawn about personal preferences, hobbies or one’s own past. If, for example, a data leak reveals that a potential victim has registered with a stock exchange forum, a criminal can use this data to quickly establish a basis of trust. Similar to phishing attacks, those affected by data leaks are also particularly predestined for such attacks and should be especially careful in their communication.

Conclusion

Generally dismissing older data as irrelevant is usually not beneficial for a personal security but also for a company’s IT security. Identeco supplies all known leak data with its products - especially older data. Because even if leak data is older, it still has a certain relevance for various reasons, even if you have already changed all your known passwords. Be it due to password reuse or because you have forgotten older accounts. Either way, if your own data is circulating in criminal circles, you should be aware of this and be more careful with your external communications.

The illustration shows a box, which is subtitled 'Leaklist' and is intended to symbolise such a list. Arrows point to the right and left of this box. The arrow pointing to the left indicates a recycle symbol and a key next to it. Underneath is the text 'Passwords are usually used across accounts'. The arrow pointing to the right points at two envelopes positioned on top of each other. Next to the top envelope is a criminal icon and the text 'For Social-Engineering'. Next to the lower envelope is a 'Caution' sign and the text 'For Phishing-Attacks'. Arrows point diagonally downwards from the recycle icon and the envelopes to the bottom centre of the image and point to a 'Caution' sign, under which the text 'Attack with old access data, therefore also possible years later' can be read.

Contact an Expert

Do you have any further questions or need specific help? Write us a message or arrange a meeting directly.

Show more

Get to the blog