CERT Estonia, the Information System Authority (RIA) organization responsible for the management of security incidents in .ee computer networks, informed nearly 200,000 Estonians via their employers that their social media passwords had been leaked.
CERT director Klaid Mägi told ERR that while it was previously known that the passwords in question had leaked as hashes, i.e. in encrypted form, the RIA found out on Wednesday that the passwords had been breached.
"Information that the passwords had leaked was received a year or a year and a half ago, and at the time we informed all institutions that hashed passwords had leaked and we must be prepared that some bad person will crack the hashed passwords and access the real passwords," Klaid recalled. "We called on everyone to change all their passwords."
Two days ago, however, CERT found out that someone had actually done exactly as they feared and cracked the hashed passwords.
According to Mägi, CERT has since once again contacted all institutions and organizations, including nearly 200,000 people, whose email addresses end in .ee.
CERT sent each institution a list of specific people's email addresses which were affected by the breach. Their warning, however, will not reach those whose usernames are not connected to Estonia, which means that the total number of those affected may actually exceed 200,000.
Anyone interested in checking whether their own social media account passwords have been leaked can do so at the CERT-recommended website haveibeenpwned.com. Mägi recommended that anyone with a social media account should do so just in case.
CERT also continues to recommend practicing good cyber hygiene and regularly changing your passwords.
A strong password is unique to each account, at least 9-10 characters long, and includes both upper and lower case letters, numbers and punctuation marks.
Editor: Aili Vahtla