16 Miliar Password Bocor: Apakah Kasir Warung Lebih Aman dari SSO Kantormu?

🔀 Read in English 🇬🇧

Selamat Datang di Hajriah Fajar: Hidup Sehat & Cerdas di Era Digital

16 Miliar Password Bocor: Apakah Kasir Warung Lebih Aman dari SSO Kantormu?

Jadi ceritanya, ada satu hari pas saya ngopi di warung deket rumah, kasirnya—Mbak Sri—lagi ribet ngitung bon sambil teriak, “Mas, yang ngutang kemarin siapa ya?!” dan semua pelanggan langsung saling tuduh. Random banget. Tapi yang menarik, tiap kali dia catat utang, dia simpan bukunya di bawah magic jar. Serius, di bawah magic jar. Nggak ada sistem digital. Tapi—anehnya—nggak pernah bocor. Utang tetap utang, nggak ada yang tiba-tiba muncul di dark web.

Sekarang bandingkan sama sistem kantor tempat temen saya kerja. Mereka punya sistem otentikasi canggih, pakai SSO, ada notifikasi login di jam-jam aneh. Tapi minggu lalu, tiba-tiba muncul email ke semua karyawan: “Per tanggal XX, kami menemukan kredensial Anda ada di database publik yang tidak sah. Mohon ganti password segera.” Sip. Itu cara halus bilang: “Password-mu bocor, bos.”

Dan ini bukan kasus iseng. Data dari Have I Been Pwned nyebut kalau lebih dari 16 miliar kredensial udah bocor ke publik. Enam belas miliar, Bung. Itu kayak seluruh populasi dunia... dikali dua. Termasuk yang udah almarhum mungkin.

Password 'admin123' Sejak 2014

Saya pernah diminta bantu audit kecil-kecilan di satu institusi. Iseng saya cek setting router mereka. Admin login-nya? “admin123”. Password-nya? “admin123”. Dan sudah dipakai sejak... 2014. Bahkan pernah diganti jadi “admin1234” pas ada lomba audit. Iya, supaya keliatan aman.

Lucunya, semua orang tahu password-nya, tapi nggak ada yang berani ganti. Katanya: "Nanti sistemnya error." Sumpah, saya nggak tahu harus ketawa atau nangis.

UMKM Gak Pakai MFA, Tapi Jarang Dibobol?

Aneh juga ya. UMKM, kayak warung kopi, toko bangunan, laundry kiloan... banyak yang bahkan nggak pakai komputer. Semuanya masih manual. Tapi hampir nggak pernah kena phishing atau serangan ransomware. Kenapa? Karena... ya nggak ada yang bisa diserang. Nggak ada sistem yang bisa dikompromikan kalau semuanya masih pakai kertas.

Tapi, itu bukan berarti mereka aman. Kadang ada kasir baru yang foto buku utang buat bahan gibah. Atau ada tukang galon yang diam-diam lihat isi laci. Ancaman tetap ada. Cuma bentuknya beda. Lebih... manusiawi.

Korporasi: Login Ribet, Tapi Bocor Juga

Di sisi lain, kantor-kantor gede pakai MFA, token, SMS OTP, dan fingerprint—tapi tetap bocor. Kadang bukan sistemnya yang jelek, tapi manusianya yang terlalu cepat klik link "Tagihan Google Ads Anda" padahal dia nggak punya akun Google Ads.

Ada cerita nyata: seorang staf keuangan klik email invoice palsu, masukin data login, dan... boom. Email perusahaan dipakai buat spam invoice ke klien-klien lain. Reputasi rusak. Kepercayaan jatuh. Dan semua dimulai dari satu klik.

Mitigasi Gak Harus Mahal

Banyak orang mikir kalau solusi keamanan itu selalu mahal dan ribet. Padahal, ada langkah sederhana yang bisa langsung dipakai:

• Aktifkan MFA walau cuma pakai aplikasi kayak Authy atau Google Authenticator.
• Jangan pakai password yang sama buat semua akun. Bahkan buat akun receh.
• Coba passkey, terutama buat layanan yang sudah mendukung (kayak Google atau Apple).
• Edukasikan semua orang di tim—bahkan yang jarang pakai komputer—tentang scam dan email palsu.

Dan kalau kamu punya toko kecil, nggak ada salahnya mulai belajar sedikit soal keamanan digital. Nggak perlu langsung beli server. Cukup ngerti cara bikin password yang kuat, dan simpan catatan digitalmu di tempat yang aman.

Penutup yang Bukan Penutup

Sampai sekarang saya masih takjub. Kenapa data sistem yang “serba digital” bisa lebih rentan daripada buku utang di bawah magic jar? Mungkin karena manusia masih jadi faktor terlemah. Atau... mungkin justru karena manusia dilupakan di balik sistem yang terlalu “pintar”.

Jadi ya, sebelum beli sistem keamanan canggih, coba tanya dulu: siapa aja yang tahu password kamu? Kalau jawabannya “semua orang di kantor,” ya mending simpan aja di bawah magic jar. Lebih aman.

Ketika IT Support Cuma Satu Orang dan Namanya Pak Didi

Di salah satu kantor pemerintahan kecil, saya pernah kenalan sama Pak Didi—satu-satunya orang yang ngerti jaringan, printer, dan Microsoft Word. Kalau dia sakit, sistem cuti nggak bisa diakses. Pernah suatu hari, server down gara-gara genset kehabisan solar, dan pas mau login ulang... Pak Didi lupa password admin.

Dia nulis password-nya di kertas kecil, ditempel di belakang kalender 2019. Kertasnya hilang pas ruangan direnovasi. Akhirnya seluruh sistem di-reset ulang sama vendor luar, dan billing ke vendor itu lebih mahal dari gaji Pak Didi selama tiga bulan.

Yang menarik, semua orang di kantor itu langsung maklum. “Namanya juga teknologi,” kata mereka. Padahal bukan salah teknologinya—tapi karena semuanya cuma bergantung ke satu orang, tanpa backup, tanpa dokumentasi.

Ada Hacker, Tapi Ada Juga Karyawan Iseng

Kita sering keburu nuduh: "Ini pasti hacker luar negeri!" Padahal kadang pelakunya orang dalam. Temen saya pernah kerja di tempat yang websitenya di-deface. Isinya cuma tulisan: "Gaji telat lagi, bos!"

Turns out, itu ulah staf IT yang frustasi. Dia udah kasih peringatan berbulan-bulan kalau servernya rawan, tapi manajemen cuek. Jadi dia sendiri yang 'retas' sistemnya buat nunjukin kerentanannya. Agak edgy sih, tapi juga... sedih.

Kita nggak bicara soal hacker internasional. Tapi soal sistem organisasi yang seringkali nganggap keamanan itu urusan vendor, bukan tanggung jawab bareng.

"Nggak Penting Kok, Cuma Data Absensi"

Ada juga yang suka bilang, “Data kita mah nggak penting, bukan bank, bukan startup.” Tapi tiap karyawan punya data pribadi: NIK, alamat, no HP, bahkan nama ibu kandung. Kalau itu dicuri dan dipakai buat bikin akun pinjol? Siapa tanggung jawab?

Dulu saya sempat bantu pelacakan akun palsu yang nyamar jadi HRD. Modusnya sederhana: posting lowongan kerja di grup Telegram, minta data lengkap, lalu digunakan buat pinjol atau daftar SIM card. Korbannya? Anak-anak magang yang desperate cari kerja.

Kita sering lupa, bahwa 'data remeh' pun bisa dipakai buat hal serius. Bahkan email lama yang udah nggak dipakai bisa dimanfaatkan buat nge-reset akun lain. Jejak digital kita tuh kayak benang kusut—asal ditarik satu, bisa ikut semua.

Solusi Manusiawi, Bukan Cuma Teknologi

Kita butuh solusi yang manusiawi. Yang realistis. Yang ngerti bahwa kadang orang capek, lupa password, males buka Authenticator, atau nggak ngerti cara set ulang.

• Ajari dengan bahasa sehari-hari. Jangan lempar SOP panjang kayak kitab suci. Gunakan video pendek, meme, atau cerita nyata.
• Dokumentasi internal harus dibikin santai tapi jelas. Boleh pakai Notion, Google Docs, atau bahkan binder fisik. Asal bisa diakses saat darurat.
• Buat sistem yang tidak membuat orang merasa bodoh. Kalau reset password terlalu ribet, orang cenderung pakai password yang gampang ditebak.
• Perlakukan staf non-IT sebagai bagian dari sistem keamanan, bukan cuma pengguna akhir yang pasif.

Dan ini penting: kalau kita gagal ngajak orang-orang biasa paham soal keamanan digital, ya jangan heran kalau sistem bocor terus. Karena musuh terbesar bukan hacker luar negeri. Tapi... rasa males dan ketidakpahaman dari dalam.

Refleksi (dan Sedikit Nyindir Diri Sendiri)

Saya sendiri masih sering pakai password yang agak-agak. Kadang karena buru-buru. Kadang karena cuma mau cek email sekali doang. Tapi ya gitu... kebiasaan kecil bisa jadi lubang besar.

Kita semua pernah ceroboh. Pernah cuek. Pernah mikir: “Ah, paling nggak penting juga.” Tapi itu yang bikin 16 miliar password bocor. Bukan karena hacker pakai AI supercanggih. Tapi karena manusia biasa kayak kita... lupa ganti password sejak 2014.

Mungkin memang kasir warung nggak lebih aman dari sistem SSO kantor. Tapi setidaknya, mereka ngerti di mana nyimpen catatannya. Dan siapa yang ngutang.

Dan mungkin... itulah bentuk keamanan paling dasar: tahu siapa yang punya akses, tahu siapa yang bisa dipercaya, dan tahu kapan harus ganti gembok.

---

---

Welcome to Hajriah Fajar: Living Smart & Healthy in the Digital Age

16 Billion Passwords Leaked: Is the Local Shop’s Cashier Safer Than Your Office SSO?

So the story goes: I was sipping coffee at a tiny warung near my house when the cashier—Mbak Sri—suddenly yelled, “Who owes money from yesterday?!” and everyone looked around suspiciously. It was chaotic. But here’s the funny part: every time she recorded a debt, she stored the notebook... under the rice cooker. Yes, under the magic jar. No digital system. Yet nothing ever leaked. Everyone remembered their debts. No password dump. No dark web drama.

Compare that with my friend’s corporate job. They use fancy authentication—SSO, login alerts at odd hours. Still, last week everyone got an email: "Your credentials have been found on an unauthorized public database. Please reset your password immediately." That’s the corporate way of saying: “Oops, you’ve been pwned.”

And this isn’t some isolated issue. According to Have I Been Pwned, more than 16 billion credentials have been leaked. Sixteen. Billion. That’s like the population of Earth... times two. Maybe even includes the deceased.

Password “admin123” Since 2014

I once helped audit a small institution. Checked their router settings. Admin username? “admin123”. Password? Also “admin123”. Used since... 2014. They changed it to “admin1234” once, just for audit day. You know, to look secure.

What’s hilarious is that everyone knew the password, but no one dared to change it. “It might crash the system,” they said. I didn’t know whether to laugh or cry.

Small Businesses Don’t Use MFA, But Rarely Get Hacked?

It’s weird. Local shops, laundry places, construction supply stores... most don’t even use computers. Everything’s manual. But they rarely fall victim to phishing or ransomware. Why? Because... there’s nothing digital to exploit. You can’t hack a paper notebook.

That said, they’re not immune. Sometimes a new cashier snaps a photo of the debt book for gossip. Or a water delivery guy sneakily peeks into the cash drawer. Threats still exist—just in a more... analog form.

Corporate Systems: Complex Logins, Still Leaky

On the other side, corporations deploy MFA, SMS OTPs, fingerprints—yet breaches happen. Often it’s not the system’s fault. It’s the user who quickly clicks that "Google Ads Invoice" email... even though they’ve never used Google Ads.

True story: a finance staff clicked a fake invoice email, entered credentials, and... boom. The company’s email was used to spam fake invoices to clients. Reputation tanked. Trust evaporated. All because of one click.

Security Doesn’t Have to Be Expensive

People think security is always expensive. It’s not. Try these simple steps:

• Enable MFA—even just via apps like Authy or Google Authenticator.
• Don’t reuse passwords, not even for trivial accounts.
• Try passkeys, especially if your services support them (like Google or Apple).
• Educate your team, even the offline folks, about scams and phishing.

And if you’re running a small shop, maybe it’s time to learn a bit about digital security. You don’t need to buy a server. Just know how to make strong passwords and store your notes safely.

An Ending That Isn’t an Ending

To this day, I’m still amazed. How come high-tech systems leak more than a debt notebook under a rice cooker? Maybe because humans remain the weakest link. Or maybe because humans are forgotten in these too-smart systems.

So before you buy that fancy security tool, ask yourself: who knows your password? If the answer is “everyone in the office,” you might be safer stashing it under the magic jar.

Welcome to Hajriah Fajar: Living Smart & Healthy in the Digital Age

16 Billion Passwords Leaked: Is the Local Shop’s Cashier Safer Than Your Office SSO? #1

Let’s talk about Pak Didi. No, not a hacker. He’s the only IT support guy in a small government office. If he’s sick, no one can file their leave. One day the server went down because the generator ran out of fuel. When the power came back, guess what? Pak Didi forgot the admin password.

He wrote it on a scrap of paper and stuck it behind a 2019 wall calendar. That calendar got thrown out during renovation. They ended up calling an external vendor to reset everything. The bill? Three times Pak Didi’s monthly salary.

Strangely, no one blamed anyone. “That’s just technology,” they said. But it wasn’t the tech’s fault—it was the system relying on a single person, with no backup and no documentation.

Sometimes It’s Not Hackers—It’s Barry from Finance

We often jump to conclusions: “It must be foreign hackers!” But honestly? Sometimes the leak is from Barry. Yes, Barry from Finance who’s been upset about his bonus. Or someone in IT who’s been ignored for months.

One of my friends worked at a place where the website got defaced. The message on the homepage? “Still no raise. System vulnerable.” Turns out, the defacer was their own IT guy. He’d warned the bosses for months. No one listened.

Not every breach is international cybercrime. Sometimes it’s frustration, burnout, or apathy within the team.

“It’s Just the Attendance Data, Who Cares?”

People often say, “We’re not a bank, our data isn’t important.” Really? Each employee record includes names, addresses, phone numbers, national ID, mother’s maiden name. In the wrong hands, that’s a goldmine.

Once I helped trace a fake HR account on Telegram. They posted job ads, asked for complete biodata, and used it to register SIM cards or borrow money via shady loan apps. Victims? Interns desperate for any job.

We underestimate how even “harmless” data can spiral into serious misuse. Old email addresses, forgotten logins—they’re all breadcrumbs that can be followed to bigger, riskier accounts.

Human-Friendly Fixes, Not Just Fancy Tech

We don’t need tech that looks cool. We need systems people actually understand. Something that respects tired employees, last-minute logins, forgotten authenticator apps, and everyday human flaws.

• Use simple language for training. No 30-page SOPs. Use memes, short videos, or real stories.
• Create clear documentation. Whether it’s Google Docs or printed binders—just make sure someone can find it when things break.
• Build systems that don’t punish mistakes. If password resets are too hard, people will just use weak ones.
• Treat non-IT staff as part of the security ecosystem, not just end-users clicking buttons.

And honestly? If we fail to help regular people understand digital security, we shouldn’t be surprised when breaches keep happening. The biggest threat isn’t foreign hackers. It’s internal indifference.

A Little Reflection (and a Gentle Roast of Ourselves)

I still use slightly silly passwords. Sometimes I’m in a rush. Sometimes I just want to log in once and leave. But hey... those small habits? That’s where it starts.

We’ve all been careless. All thought, “It’s not that important.” But that’s what fuels the 16 billion-password leak. Not evil geniuses. Just people like us, still using “admin123” since 2014.

Maybe the warung cashier isn’t exactly safer than a corporate SSO system. But at least she knows where she hides the debt book. And who owes what.

Maybe, just maybe, that’s what basic security is: knowing who has access, who you trust, and when it’s time to change the damn lock.