Should you find yourself in a chronically leaking boat, energy devoted to changing vessels is likely to be more productive than energy devoted to patching leaks.” 
― Warren Buffett

Information Leak

An information leak is when your private information gets released without your permission. This can happen through an incident like a data breach. Your private information is highly valuable so it’s important to understand what you can do to protect it and what to do if your information is leaked online.

Find out more about what a data breach is

How this information gets released

The information can come from data breaches of businesses or organizations. Information leaked from breaches can be published online, and can contain information from one source, or from a range of sources.

When the details are published online, it’s not always immediately obvious where the information has come from. The companies involved may not be aware that the information is online.

Often it can be the result of a website or service suffering a security incident, and the information being stolen from their systems. This information might be sold, or publicly released online or to others. Large scale information leaks are often traded by cybercriminals, mixed in with information from other leaks, and sold again.

Types of information

The types of information varies in each release, depends on what service the information was obtained from. It can be personal information like your name and address, or even medical or financial information. It can also be your username and password, often including email addresses. This is often called a credential dump.

The impact of an information leak also varies depending on what information was leaked. A credential dump can let someone else access your online account, or other accounts that use the same username and password. With this information, someone might use your email account to send spam or phishing emails, or access other services like your online banking.

How to protect your private information

It’s important to protect privacy and have control over where your personal information goes and who has access to it.  Taking a few simple steps can help you secure your information.

  • Only share as much information online as you need to and make sure you have strong privacy settings on all online accounts.
  • If you feel you’re being asked to provide a business or service with more private information than you feel is relevant, check what the information is being used for.
  • Use strong, long and unique passwords on your accounts, that way if your password on one account is leaked you only need to update that one account and your other accounts are safe.
  • Turn on two-factor authentication for all your online accounts to add an extra layer of security.

Use two factor authentication (2FA)

How to create a good password

Find out if you’re affected

If you’re concerned that some of your personal information has been released through a data breach:

  • contact the relevant business or organization to see if the breach affects any of your accounts
  • change the passwords for any accounts you think may be at risk

If your information is released

If your email address has been part of a breach, change the password for that account immediately.

Some people make patterns of their passwords, to make them easier to remember. Unfortunately this also makes them easy to guess. If you have reused a password on other accounts, or have a password pattern, change the passwords for those other accounts too. If your password for Adobe is Adobe123 and that information was part of a credential dump, attackers will go and try Twitter123 and Facebook123 with your email address.

What to do if your identity is stolen

If you’ve been a victim of identity theft, contact the police or PNGCERT.

Ways to protect your information.

  • Use different passwords or passphrases for each account. Use a password manager to help keep them safe.
  • Enable two-factor authentication on your accounts
  • Fake login pages can be very convincing. Enter the website address directly or use a bookmark in your browser, instead of following a link. This prevents fraudsters sending you to the wrong place.
Visit CERT NZ for more information. 
Visit ACSC for more information.