New cybersecurity breach: 1.2B usernames and passwords

I read this at FNC:

‘Staggering’ data breach of 1.2B usernames and passwords could worsen

The massive data breach revealed this week could be even worse than initially feared, warns a cybersecurity expert.

Citing records discovered by security specialist Hold Security, The New York Times reported on Tuesday that a Russian crime ring has managed to gain access to more than a billion stolen Internet credentials. The stolen credentials include 1.2 billion password and username combinations and more than 500 million email addresses, according to Hold Security, which describes the breach as potentially the largest ever.

This, however, could be just the tip of the iceberg, according to Richard Martinez, a Minneapolis-based cybersecurity and privacy attorney with Robins, Kaplan, Miller & Ciresi. “The potential target zone of companies that are affected by this is much larger than the ones initially impacted by the breach,” he told FoxNews.com.

Martinez explained that, with many consumers re-using their passwords, hackers could potentially access data from even more companies and organizations. “As staggering as the scale of this is right now, it may well be much larger.”

Hold Security identified 1.2 billion “unique” stolen credentials consisting of both a username and a password. However, the Milwaukee-based security specialist says that the gang amassed a total of 4.5 billion records, stolen from more than 420,000 web and File Transfer Protocol (FTP) sites.

[...]

Scary.

What do you do to keep your identity safe?  Do you use strong passwords?  Do you change your passwords?  How often?

I am looking for new strategies for handling passwords and I bet there are some pretty well-informed readers out there. Also, for a while now I have used the service LifeLock, which has been helpful.

I have an affiliate program with Lifelock. If you are thinking about using it, click below.

So, what is your SOP to handle your online identity?

FacebookEmailPinterestGoogle GmailShare/Bookmark

About Fr. John Zuhlsdorf

Fr. Z is the guy who runs this blog. o{]:¬)
This entry was posted in "How To..." - Practical Notes, Global Killer Asteroid Questions, The Coming Storm, The future and our choices and tagged , , , , . Bookmark the permalink.

20 Responses to New cybersecurity breach: 1.2B usernames and passwords

  1. majuscule says:

    I don’t use the same username and password over and over, that’s for sure!

  2. Mojoron says:

    I like 1 Password for my online security. I also use a Mac and they have a built in system in the new OS, but since I have been using 1 Password I’ve stuck with it. 1 P also works on other IOS devices.

  3. Apart from not reusing passwords, I simply avoid generating them in the first place. As an example, while I find this blog useful and worth the risk, I don’t have an avatar here because that would require me to sign up with an additional web site, generating one more user name and password combination. I have to give up things and I often find myself frustrated, but I have to limit my risk. I long ago decided that I am not going to die with 10,000 user names and passwords scattered on various web sites. I also avoid using the same e-mail address at multiple web sites if I can so that I can track what is going on with them. Even at that, I have been concerned about getting spam on addresses that only one web site is supposed to have– that is a strong indicator that such a web site has been hacked, or that someone there sold or gave the e-mail addresses to a third party. Internet is one big, bad, lawless neighborhood.

  4. papaefidelis says:

    The very concept of cybersecurity is a farce. Imagine, if you will, a seemingly impenetrable fortress, surrounded by razor wire and a moat filled with hydrochloric acid. However, a backdoor is always left open because the duke of Nonesuch, who owns the castle, has a peculiar habit of losing his keys. Built-in to every application and system are ways of gaining access, since folks, like great-aunt Hazel, tend to forget their passwords. Some means of access are simple (many BIOS makers build-in default “fail-safe” passwords, in case the user creates a BIOS password and forgets it), some are more obtuse; still, there are alternate ways of accessing almost anything. Until such ways of gaining access are removed and folks take responsibility for accessing their information or losing it forever, applications and systems will remain vulnerable. Changing passwords is like continually changing the locks on your doors. It may help you feel safe but the burglars really don’t care about locks and keys, to be honest. “C omputer

  5. JohnE says:

    I have several passwords I use of varying strength depending on what it’s protecting, but I know I should do better. I changed several of them after the Heartbleed incident, but I really don’t change them, like I do for systems at work which do not have as much exposure. I’ve been meaning to look into LastPass to manage passwords (https://lastpass.com/) but I’ll look at LifeLock as well.

  6. iamlucky13 says:

    A strong password is always a good idea to protect against guessing or brute force hacking attempts (but a limited number of tries allowed by a service also makes those methods impractical), but the case at hand is about compromised passwords. A strong password does not protect you if you used that password on a compromised site.

    In that case, you simply have to change your password.

    For sites where my credentials being compromised can not harm me, like discussion sites, I have a password I re-use so it’s easy to remember. For sites where credentials being compromised can harm me, like email and bank sites, I have separate passwords.

    Also, use an antivirus program and allow it to autoupdate. Viruses that log keystrokes and other methods have in the past been used to steal passwords and other personal info.

    Lastly, do not enter login info to sites you clicked to from an email unless you were expecting the email (such as verifying a registration). If you’re going to your banking website, open a new window or tab, type the address you know is correct or use a bookmark you created. One of the oldest scams on the internet is spoof sites used to trick people to entering credentials.

  7. CradleRevert says:

    LastPass is nice. Even though LastPass holds all your passwords, the passwords are unreadable even by LastPass since they can only be decrypted by a passphrase that you know. So even if LastPass were compromised, the passwords would be useless to the hacker.

    If you are still not comfortable storing your passwords online, KeePass is nice. It’s a free program that holds your passwords inside of an encrypted database which is unlocked by one master password.

  8. derek72 says:

    I strongly recommend LastPass – been using for some time.

  9. Sonshine135 says:

    I am greatly concerned that the report cam out that over 1 Billion User Names and Passwords were compromised, but the names of the impact companies or governments was not released. Everyone who frequents online resources is now wondering whether their information was the information that was compromised. It will only take one serious event where hundreds of thousands of people have their bank accounts drained or personal information stolen before he whole idea of ecommerce comes crashing to a halt.

  10. Andrew says:

    In many parts of Africa they use drums for long distance communication. The advantage is that there is absolutely no way to breech the security with that mode of communication. Also, it works just as well even when there is a power failure. The equipment is a bit bulky, compared to a Laptop, but not compared to a Ham Radio (for those who don’t know: a ham radio is not made from ham)

  11. Gregg the Obscure says:

    I use varying passwords, that change periodically. Passwords for the most sensitive applications (banking, work, etc.) are stronger than those for blog commenting. Also have an ID theft protection product through my bank. I was involved in response to an identity theft conducted against customers of a previous employer, so I have contacts for remediation services when such becomes necessary.

    Easy way to devise strong passwords that are still memorable: use citations from Scripture with an alphanumeric switch or two, eg. p5aLm1O0:I (no, that isn’t one I’ve used).

  12. Magash says:

    I have given up the notion that doing anything on line is secure. That doesn’t mean I don’t use strong passwords on financial sites. It also doesn’t mean that I don’t take precautions. However I have come to the conclusion that ultimately anything I do will be ineffective.
    For example I only use a single credit card online. I do not use that credit card for anything else. However other credit cards which I never use online have been compromised? How? I suspect a merchant or restaurant employee copied the card. I also know that business like Target have had their databases compromised. I can do nothing to control that.
    Almost surely the NSA has compromised Google, Bing, Facebook and Instagram (not to mention Twiddle, which I don’t use.) I also have no control over that.
    Basically the only way to have online security is not to go online. Other than that live on line as you do in the real world. Don’t post anything you wouldn’t want attributed to yourself. Don’t leave large amounts of cash out unless there is no risk. What do I mean by that? One reason that I don’t get much worried about credit card fraud is that as long as I take reasonable precautions I’m only on the hook for $50 no matter how much a credit card thief steals. So in my mind since its the credit card company who takes the loss it seems to me that its in their interest to make sure they keep their websites, databases and records are secure. I have no control over it. I can’t be held responsible. So why should I worry overmuch about it?
    In the long run just as in a house, if a thief or murder whats to get into you house there is really no way to stop them. Strong door with a lock. Break the window. Put bars on the window. Drive a dump truck through the wall. The same goes for online. Good passwords and hints prevent some college age political ideologue from hijacking your gmail account. A strong password and not using password save in you browser will prevent your druggy niece from emptying your bank account.
    Almost nothing you do will prevent the NSA or Russian hackers from getting into your stuff.

  13. ray from mn says:

    Some years ago I read an article on how to strengthen a password.

    I can’t remember all the details, but they said that the password should be at least 16 characters long, and include upper and lower case letters, numbers and at least one special character. I use that for my bank accounts and other financial accounts.

  14. The information breach was mostly from Facebook and LinkedIn – social networks. Banks are not reporting any effect yet.

    I use varying passwords which I track manually or mentally. I don’t even trust the typical online password managers, instead I use a website with very tight encryption as an identity manager. Password managers through browsers are very useful, but I have not turned on the sharing among devices.

    To better secure ones critical information, it helps to not give it out. One critical component for identity theft for instance is Date of Birth. Therefore, if you don’t need to supply your real birthdate, as for a driver’s license or social security or health records, don’t. When registering online or at stores or video games or whatever, create another date of birth other than your real one. Eventually this date of birth turns up on some non-encrypted database and is wide open. It is true ‘cyber security’ doesn’t really mean anything.

    In regard to online activity, I use Abine products such as MaskMe. I also use Do Not Track Me, which blocks trackers. To manage my identity I use Symantec’s Personal Identity Portal – there are other companies that offer this with varying degrees of security. This hides my information when I log into various websites if I wish to use it.
    One of the best things about the Mac is that, unlike a PC, it asks permission to install software. This can reduce trojans and such things from installing themselves. Also we know that hackers pay more attention to PCs so the Mac is much less vulnerable to intrusion when perusing the internet. I used to notice the slowness of my past PC would get worse after visiting certain websites even though I had security software – this is way reduced on the Mac. And I don’t have to manually clean up intenet files and leftovers on the PC anymore. Just because you use security software doesn’t mean your PC doesn’t collect all kinds of tracking junk and that must be cleaned up by the user manually.

    In regard to credit card fraud, the TJ Maxx/Home Goods/Marshalls conglomerate has one of the worst reputations for security – even though they have a record of breaches, they continue to get hacked, resulting in the bank contacting you about changing your credit card again. Whereas Target is aggressively working to fix their breaches. Also, use the credit card, not your debit card – the laws for credit card security are far more stringent. Also, using a credit card in little mom and pop shops is always a bigger data risk because they are more likely to use smaller companies that ignore the stringent and necessary encryption rules somewhere down the line.

  15. Having spent the last 25 years or so in the information assurance/network security/internet security space…if you believe that all the buzzword-driven industry compliance standards provide anything more than, in many cases, window dressing that your commerce efforts are secure…well…I have some great real estate to show you.

    IMHO, Moore’s law can be (mis)applied to programmatic (and at the core, web sites are collections of programmatic elements) efforts: every two years, the complexity of the software driving applications increases. Along with that, since programs are written by fallible humans, there WILL be mistakes/miscoding/hanging variables/memory leaks/buffer overflows/unterminated lines/unknown errors/etc, any one of which can provide an entry point or attack vector that will expose your information.

    With convenience comes risk or added expense. In retail, it’s all about expense. In maintaining the launch codes, it’s confidentiality, integrity, and availability. On web sites, it’s frequently “make it pretty and easy to buy X”, and “oh, by the way, can you have it done by 4PM?”.

    It’s not that coders (I hesitate to call them programmers…programmers wrote the code that put men on the moon…coders reuse code that others developed years ago, put a new set of graphics on the display, and re-use well-published transaction processes to push the latest and greatest out the door…mostly off-shore, working for 25. USD a day) are necessarily doing the wrong thing…just that, as fallible humans under time and production pressures, may NOT hit all the vulnerabilities.

    As a security wonk, I have to be right and predict unpredictable behavior 100% of the time. Dedicated criminals, driven solely by $$ (or UKP or Rubles or Euros) only have to find the ONE error that wasn’t caught in a complex software environment to exploit (unauthorized) access for every 1000 attempts to be profitable.

    Not saying don’t use the net. Just don’t be complacent with giving out information that’s not required. Why do you think PayPal has a security staff larger than most online companies’ entire IT department? Just because.

    Be careful out there…you are not paranoid because they ARE out to get you. But, it’s not personal, just (criminal) business.

  16. JPK says:

    Many of these breaches are the result of hackers running a small bit of code called “SQL Injections.” As a matter of fact, one curious software developer went to the ObamaCare website, and entered a few lines of a Structured Query Language script (he wanted to see if he could get a list of customers names and addresses) and all of a sudden his spreadsheet (which was used to record the query) began filling up with hundreds of user account info (names, SSAN, addresses, etc….).

    People would be shocked on how easy it is to data mine websites. Most hackers are nothing more than script kiddies who re-use codes to mine Google. Th crazy thing is that it only takes a database admin 3-5 minutes to lock-down his data.

  17. Patrick-K says:

    I use KeePass which appears to be similar to LastPass.

    I also use HTTPS Everywhere which tries to enforce encrypted connections to web sites whenever possible.

    Also for Google and some other sites, you can enable two-factor authentication. What that does is every time you login, you need to enter a number. This number is generated using a specific formula known by you and the server, and also involves the current time (and is good for about 10 minutes). This wards off password guessing because the correct answer is different (almost) every time. Banks and also online games usually have that sort of thing. Google (and others) also have some options such as alerting you when login attempts are made outside of the country you live in. It’s kind of funny that online games have better security than most of the shopping sites.

  18. Dashlane? 1Password? Lastpass?

    Some good options. I think one that would sync across mobile devices might be my best option.

  19. fichtnerbass says:

    I’ve been a user of LastPass for many years now. Free version allows you to store and access via computer and any/all mobile devices. Premium version ($12/year) allows you to use an app on your mobile devices to auto-fill login info. And allows you to share sites and login info (can share it without giving the other person access or share completely), which is useful for sites like insurance, banking, credit cards, etc. that I and my spouse both need to access. I’ve got something like 150+ unique username and passwords stored in LastPass. It has an auto-generate feature as well – tell it how many characters you need, if you want alpha, numeric, special, etc. and it will create it for you. Then click “save” and you have a new entry. Highly recommend it!