The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) has issued an alert regarding a large-scale data leak recently reported internationally. More than 16 billion sets of account password data have been made public online, covering many commonly used online service platforms such as Facebook, Google, Apple, GitHub, Telegram, and other mainstream services. According to available information, the data did not originate from recent large-scale intrusions, but rather from databases compiled from account passwords previously stolen by infostealer malware.
Currently, there is no evidence indicating that data related to Hong Kong users or organisations is involved, and HKCERT has not received any incident reports from local users or organisations regarding this leak. HKCERT will continue to closely monitor the impact of this incident.
Although the local risk has not yet materialized, hackers may use this data for phishing, account takeover, identity theft, ransomware, and business email compromise (BEC) attacks. HKCERT emphasizes that proactive protection of personal data is urgent and calls on the public and businesses to take immediate action.
HKCERT Urgent Protection Recommendations:
This incident highlights the importance of good cyber hygiene and regular management of account credentials. Given the scale and potential threat of the incident, HKCERT recommends that users and organisations take the following measures:
- Adopt Zero Trust Security Architecture: Organisations should actively implement a Zero Trust security strategy—never automatically trust any user or device, whether inside or outside the network. Always verify identities, enforce the principle of least privilege, and continuously monitor for abnormal activities.
- Change Passwords Regularly: Regularly change passwords for all important accounts and avoid using the same password for multiple accounts.
- Enable Multi-Factor Authentication (MFA): Add multi-factor authentication to key accounts to enhance security.
- Re-login to Devices: Some leaked data includes login cookies and session tokens, which may bypass two-factor authentication. Users are advised to log out from all active devices and log in again to reduce risk.
- Monitor Account Activity: Regularly check for unusual logins to your accounts, and log out from all devices if you suspect your account has been compromised.
- Beware of Phishing Attacks: Handle suspicious emails, messages, and calls with care, and never provide personal or login information lightly.
- Use a Password Manager: Generate and store strong, unique passwords.
- Check Device Security: Conduct comprehensive antivirus and malware scans on computers and mobile devices to remove potential threats.
- Stay Informed on Cybersecurity Updates: Follow HKCERT’s latest security alerts and best practice recommendations to receive real-time threat notifications.
For more information or to report cybersecurity incidents, please visit the HKCERT official website at www.hkcert.org, or call the 24-hour hotline at (852) 8105 6060.
