Evernote recently reset every user’s password because of an intrusion in its network. The hackers reportedly accessed user names, email addresses and encrypted passwords for 50 million users, or nearly one fifth the population of the United States. Were you one of them?
Evernote. Yahoo! LinkedIn. Each week, another popular website reports it has had a password file hacked. The frequency of cyber attacks and data breaches is increasing. The bad guys are out there, attacking these and other websites you use each and every day. A Google search for “Facebook password hacking software” returns 4.5 million results!
These bad guys are not just doing this to get access to your Timeline or to see whether you have reached 500+ LinkedIn connections. Let’s not kid ourselves — their objectives are more nefarious. Hacker organisations, formal and informal, have a pre-meditated plan and are not just randomly attacking sites. Frequently, a data breach at one website provides the keys to the kingdom at another.
Increasingly, organised crime, rogue states and hacktivists use the information gathered from websites like these to target you personally, financially and at work. For example, they collect information, such as what department you work in and perhaps your colleagues’ names and email addresses, to help create spear-phishing attacks — all designed to lure you to download malware.
The next time you rush to reset a password after learning that a website you use has been compromised, consider:
- Did you use that password, or even a part of that password, for other services such as online banking? For your workplace network or remote access password? (It’s easy enough to find out where you work, isn’t it?)
- What information would the hacker gain access to if he had your password? What additional personal data is included in your account profile?
- Many sites enable you to reset your password by answering questions such as your first pet’s name or mother’s maiden name. Do you use that same authentication information at other sites? At work?
The use of passwords will not be replaced by a new improved authentication process any time soon. So what to do? You can scribble passwords down, use password vaults, or create a clever algorithm to remember them all.
While there may be many ways to manage the plethora of passwords you have, you can take just a few steps now to prevent a breach at any one website from rippling through your cyber persona elsewhere:
- Understand how each site you use stores information. Is it encrypted? Hashed?
- Understand what the impact of a breach at each site would be. Would you potentially lose money? Have your credit score impacted? Have personal information stolen that could be used elsewhere?
- Evaluate the overlap of passwords, password re-set questions and other credentials at the websites you frequent and make adjustments, so that a breach at a low security website does not compromise your account at a high impact website
In the corporate world, Chief Information Security Officers know that they have to not only maintain security but also proactively focus on risk management. They accept that the surface vulnerabilities and threat vectors are so broad and diverse that “complete security” is a misnomer. Instead, their best bet is to recognise where risk is highest and focus attention on those areas and address hot spots before an incident occurs.
Similarly, we as consumers need to become risk managers. We need to understand how the sites we use handle our information, and how that might enable compromises at other sites. Like the Chief Information Security Officer, we need to be proactive in eliminating risk after we have identified how our personal data might be vulnerable.
As the Evernote breach demonstrates: there is no time like the present to get started.