The hot security story of the last couple of weeks has to be that several popular webmail providers were investigating a report that millions of their users' login details had been shared online by a hacker.
For the purpose of this article, let’s delve a bit deeper into what happened, why it’s important and how we can protect ourselves from future attacks like this.
Another data break or a repackaged one?
With data breaches it’s important to keep everything in perspective, rather than letting our imaginations run wild with theories of what the hackers have accessed. In this particular case, the breach may have affected 272 million addresses which seems an astronomical number but in actual fact 42.5 million were new, the rest had been breached on previous occasions.
In addition to this, a large number of the usernames affected appeared more than once with different passwords according to tomail.ru and sample data showed that those it breached did not contain any real live combinations of usernames and passwords. Hence why the hacker most likely released the data in this case, as it was not quite as valid as was first anticipated.
However, despite the fact that there is often a little bit of ‘scare mongering’ involved in highly publicised breaches, it is hugely important we take responsibility for the protection of our data. Only back in March, did metropolitan police chief Sir Bernard Hogan Howe, controversially speak out and suggest that banks should consider no longer refunding some online fraud victims. We share so much of our lives online these days, from online banking, shopping to intimate pictures of our loved ones on social media like Facebook and Snapchat. It has never been more important to keep data safe, yet we seem more lax than ever in our attitude adopting a ‘that’ll never happen to me mentality’. So what do we need to know?
Beyond the obvious
We all get told to change our passwords regularly and make them more complex by including letters, numbers and symbols. Yet 3 out of 4 consumers use duplicate passwords, many of which have not been changed in five years.
Unsurprisingly, the same survey reported about 40 per cent of those had had ‘a security incident’ in the past year, meaning they had an account hacked, a password stolen, or were given notice that their personal information had been compromised. So here’s further advice beyond the password that may just help you avoid a security breach.
- Number one, you need to have more than one email account and they should be used for different things, as these webmail services are free, there is no reason not to. Many of us have a personal and work account, but since if you move jobs you lose access to your work account you are effectively living your digital life through one username and password, increasing your risk of a breach significantly. These types of personas are like gold dust for hackers.
- Ideally, it is advisable to have one account that you use for financial stuff, like banking, and is never used for anything else. Remember that you email address is used to reset access if you need to, so having a private email that no one knows other you’re your bank(s) reduces the risk of someone hijacking it and resetting passwords to gain access to your cash.
- Do not use the same credentials for email as you do for other sites, for example if your email address is your login to Facebook then don’t use the same password to access both your email and Facebook, if one is compromised then you want to know that it’s only one access that has been breached, rather than multiple accounts that are associated with you.
- Finally, it is also useful to have another account for all the other stuff, e-cards, offers emails, e-invites, general web sites that are not important, consider this email a ‘burner’ so that if it becomes compromised or the spam email becomes too much that you just delete the account and start over. In addition to being secure, I find this also compartmentalises important accounts from those that are merely filling up my inbox with junk making it easier to spot of something doesn’t seem quite right! I.e. reporting a phishing email for example.
I don’t want to labour the point but yes, you do need to change your passwords and you need to change them regularly on all your accounts!! Go one step further beyond number and symbol and you will really reduce your chances of your accounts being breached dramatically. For example, "Chelsea 2 Spurs 2 Leicester City won” is a password that I would personally remember but can be made very unique. The password could look like this: CS2sps2!LC1.
Where possible use two factor authentication, most online services now offer the ability to use your mobile device to receive a code when you login that you then authenticate with, if they offer it then use it. Another variant on this is where it only authenticates this way when you login from a ’new’ device, again if it’s offered then use it. I know it sounds simple enough and we all know we should do it, but the statistics don’t lie, we are all terrible at following simple advice.
Security breaches like that hit the headlines are an important reminder that you should not be sitting duck waiting for a hacker your to delete your digital memories, take your hard earned money, or even steal your identity.
Don’t wait to become a victim – be proactive, take control and protect your digital footprint.
Tony Anscombe, Senior Security Evangelist, AVG Technologies
Image source: Shutterstock/hywards