FBI reveals 630 million stolen passwords.

getty

Updated December 15 with hands-on details of password manager application tools that can help check for compromised credentials following reports of a LastPass data breach caused by security failures and a no password required attack confirmed by Google, alongside the original reporting of the 630 million passwords revealed by the FBI following device seizures from a single hacker.

Just when you thought things couldn’t get any worse in terms of cybersecurity bad news this week, the FBI has revealed a staggering database of 630 million compromised passwords from multiple devices seized from a hacker. Here’s what to know and how to check if your passwords are on the danger list.

ForbesMicrosoft Worm Attack Warning — Act Rapidly And Change Passwords NowBy Davey Winder

FBI Finds 630 Million Stolen Passwords On Seized Hackers’ Devices

Troy Hunt, the creator of the ingenious Have I Been Pwned and Pwned Passwords services, has confirmed that the Federal Bureau of Investigation has handed over a staggering list of 630 million compromised passwords to add to the HIBP database of 17 billion compromised accounts. The FBI has been sending Hunt compromised passwords for four years, as uncovered during the course of cybercrime investigations, but what’s concerning and almost unbelievable in equal measure is that the latest haul is from a single hacker.

“This latest corpus of data came to us as a result of the FBI seizing multiple devices belonging to a suspect,” Hunt said, adding that ”the sheer scope of cybercrime can be hard to fathom, even when you live and breathe it every day.” To which I can only say, indeed it is.

It seems that the hacked passwords have come from open and dark web marketplaces, Telegram channels and, inevitably, infostealer attacks.

All of which means, of course, that not all of the 630 million credentials handed over to Hunt are going to be fresh to market, as it were. And, indeed, that appears to be the case following an initial HIBP team analysis: “We hadn’t seen about 7.4% of them in HIBP before,” Hunt confirmed, “which might sound small, but that’s 46 million vulnerable passwords we weren’t giving people using the service the opportunity to block.”

Forbes41 Microsoft Zero-Days — Now Millions Of Users Face Update ChoiceBy Davey Winder

FBI Stolen Credentials Handover: How To Check If Your Passwords Are On The List

The good news is that all of the stolen credentials, all those compromised passwords, are now searchable from a single location, which leaves you a second or two away from discovering if any of yours are included.

Head to the Pwned Passwords service, and enter your password. Don’t worry, it’s perfectly safe and won’t put your passwords in any danger, just the opposite in fact. “No password is stored next to any personally identifiable data such as an email address,” Hunt said, “and every password is SHA-1 hashed.”

Most importantly, do it now so you can change any passwords that are already compromised before your accounts fall victim to credential-stuffing attacks. I would also recommend that you use a password manager. Oh, and enable passkeys on any accounts that support them. Then there’s the small matter of activating two-factor authentication on all your accounts as well. Stay safe, even when the FBI finds the next big stolen password haul. It’s only a matter of time.

ForbesHas Your Gmail Password Been Hacked? Check Now, Here’s HowBy Davey Winder

Don’t Ignore This FBI Discovery — Use A Password Manager Now

OK, so I’ve already said you should use a password manager, but is that safe? It’s a question I get asked all the time, especially after I have published reports about a password manager data breach, or the latest hack attacks. My answer is always the same: yes, absolutely. There is never any doubt in my mind, as an old hacker myself, and for good reason: password reuse and weak passwords make the life of a hacker so much easier. Believe me. The two are most certainly not mutually exclusive, quite the opposite, in fact. People use weak passwords because truly random, truly complex, truly strong ones are almost impossible to remember unless you are some kind of memory savant. Not totally so, of course, I know my 25+ character random master password that unlocks my password manager vault off by heart. I couldn’t actually tell you what it is without a keyboard in front of me, as it’s a muscle memory thing, at least that’s what I call it. I only need to remember the first five characters, and the rest just follow automatically. But even that password would not be considered strong in any way if I were to then refuse it across all my accounts because if one got compromised, then they all get compromised.

Using A Password Manager To Check For Compromised Credentials, From The FBI Or Not

Although I prefer standalone apps over browser-based ones, if you are a fully committed Google ecosystem user, then the chances are that you are already making use of the Google Password Manager for Chrome. This is no bad thing from the user experience perspective, and ease of use, including no interruption to your work or leisure flows is important in making better security more popular with the general public, and thankfully also opens the doors to the Google password checkup tool. This will, you’ll be glad to hear, not only check your saved passwords against any compromised credentials found in databases on the dark web and in other collections, but also go the extra mile and warn you if you are using any across multiple accounts, please don’t do that, or are weak, and so at risk from credential stuffers or brute force hack attacks.

If you are an iPhone user, however, and like the free Apple passwords app, then this will also keep an eye on your password exposure for you. The Detect Compromised Passwords feature reveals if any of your passwords have been compromised in a data leak, without disclosing your accounts or passwords to Apple. You will get a warning notification for any determined as possibly having been included in a data leak. Apple said that “your actual passwords are never shared with Apple, and Apple does not store the information calculated from your passwords.”

Third-party password manager apps such as 1Password, which use the Have I Been Pwned database for compromised credential checking, also make this easy. The 1Password WatchTower feature provides a password security audit dashboard to the user in a single window. This reveals an overall password score, which you can probably ignore as these sorts of gimmicks don’t really account for much in terms of actual, actionable intelligence. Ditto the overall password strength meter, as you will already know that on an individual basis, as they are created anyway. However, the panes of the dashboard that show the numbers of, and links to more information about, compromised websites you have accounts with, reused passwords, weak passwords, unsecured websites, and inactive two-factor authentication, most certainly are.

I’m something of a Proton ecosystem fan, truth be told, and have gradually replaced Gmail with Proton Mail, other Virtual Private Network apps with the Proton VPN, Google Calendar with Proton Calendar and so on. The full Proton suite also has a password manager app called, unsurprisingly, Proton Pass. This also comes with a Pass Monitor function that includes dark web monitoring to check if your personal information has been leaked in a data breach impacting a third-party service, as well as a weak and refused passwords audit.

Ultimately, though, it relly doesn’t matter which password manager you use, provided you are using one and it is from a trusted vendor. I always recommend standalone managers and apps rather than ones that are part of a web browser, as I prefer some level of separation between the two. But something like Apple Passwords, which comes free with iOS and macOS, is just as good a recommendation as the commercial 1Password application, in my opinion. Don’t let this latest FBI warning go to waste; use it as an opportunity to up your password game, and that means setting up a password manager. It is easy and quick to do, and once done means your password usage is significantly more secure.

ForbesGoogle Confirms Critical No Password Required Attack — Act NowBy Davey Winder

Samsung may be preparing to step away from SATA SSD production. According to multiple industry reports, the company is planning a long-term exit from SATA SSD manufacturing starting next year.

YouTuber Moore’s Law Is Dead (MLID) says several sources have told him Samsung will end SATA SSD production entirely after it fulfills existing contracts.

SATA SSDs can feel like older technology as more new laptops and desktops rely on faster NVMe storage. High-end systems have also moved to SAS (Serial Attached SCSI).

Still, SATA SSDs remain common in 2025. They continue to see demand in budget PCs, external storage, and upgrades for older machines. Retail channels also continue to sell SATA SSDs in large numbers.

Samsung is one of the largest suppliers of finished consumer SSDs. MLID says Samsung-made SSDs make up a significant portion of top-selling products on major online retailers, with roughly one-fifth of those listings still using the SATA interface.

If Samsung removes that supply, the impact may extend beyond one product category. The report suggests the move could tighten availability across the broader SSD market, including NVMe drives.

The report lands as memory pricing faces pressure. Samsung has reportedly raised DDR5 memory prices by as much as 60% recently. Micron has also decided to halt its consumer memory business to focus on supplying memory for high-powered AI chips.

The reports suggest end consumers are likely to feel the effects the most.

For now, Samsung has not made anything official. But if the company does exit SATA SSDs, the report suggests SATA drives could become more expensive and harder to find than many expect.

Pakistan continues to rank at the top globally in searches related to indecent content, despite no longer leading in actual viewership, Director General Pakistan Telecommunication Authority (PTA) Dr. Muqarram Ali said while addressing a cybersecurity seminar at the Sustainable Development Policy Institute (SDPI).

He said that following PTA’s actions, including large-scale blocking of indecent websites, a clear impact has been observed, and Pakistan is no longer at the top in terms of viewing such content. He added that Pakistan had previously ranked highest in viewership, but sustained enforcement measures have moved the country down from that position.

Speaking at the event, Dr. Muqarram Ali said the PTA is actively working on online child protection and has blocked around 1.3 million indecent websites. He stated that the authority only blocks immoral and unethical material and does not act proactively to shut down websites on its own.

He further said that the PTA often receives contradictory court orders, with one court directing the blocking of a platform while another ordering that it should not be blocked. He added that the authority is bound to follow the prescribed legal and administrative system in such cases.

Referring to the temporary blocking of Wikipedia, the PTA chief said the move triggered an international reaction, after which an inter-ministerial committee was formed to review the issue. He said that the PTA blocks websites strictly on government directives, noting that similar instructions were also issued during previous governments.

Highlighting cyber security developments, Dr. Muqarram Ali said Pakistan has emerged among the top countries in cyber security preparedness. He claimed that during the Pak-India conflict in May, Pakistan won the cyber war and that not a single Pakistani website was taken offline. He also clarified that the PTA does not collect mobile taxes, stating that this responsibility lies with the Federal Board of Revenue (FBR).