When Adobe admitted this week that 38
million of its users may have had their ID and passwords leaked, it was
not the first big site to break this sort of news to its users.
Sony, Evernote, LinkedIn – there are dozens of companies
which have fallen victim to hackers over the past few years, leaking
everything from credit card details to email addresses, and often
affecting millions or tens of millions.
What should you do when it happens? You’ll often – but not
always – get an email from the company explaining what’s happening, and
what to do.
But the advice you’re offered by the company might be the
bare minimum you can do to stay safe – and our tips offer a few extra
safeguards.
It’s worth checking company sites in the event of any
breach – you’ll often find more detail there, and advice on specific
risks. Even company Twitter feeds can help. Adobe, for instance, offers some good advice for its users here.
Don’t always believe what they tell you
In the first few hours after a major breach, the company
itself may not be aware of the extent of the attack – and may be
attempting to “manage” the crisis. ESET Senior Research Fellow David
Harley says, “Often, there isn’t much you can do when a major company
screws up. And in fact, it’s not unknown for a company to try to gloss
over the breach by not notifying individual users unless they know that
they’re likely to be affected. (Local legislation has a lot of influence
here: where there is legislation forcing disclosure, it may depend on
how much wiggle room is left.)
Been “reassured” by email? Stay alert
In many breaches, the news is not announced via company
sites or Twitter feeds – it’s first sent as an email to users. But
breaches can turn out to be far worse than they appear – to take Adobe’s
example, it initially seemed that “only” three million users were
affected. Take as many precautions as you can, regardless of what the
email says (see our advice on passwords below). Harley says, “If a
company does notify you individually, it’s as well to take it seriously
and consider carefully whatever advice they give you. However, it’s as
well to bear in mind that such notifications may play down the threat
for PR reasons, and in any case the company’s understanding of the
security implications may be incomplete.”
The word “encrypted” doesn’t always mean you’re safe – nor does a strong password
When hackers break into a company and leak huge amounts of encrypted
IDs and passwords, companies often trumpet the fact that the data was
“encrypted” – but there are different levels of encryption, and once
leaked, cybercriminals will use specialised software to extract
passwords. Once the data is out there, criminals have months to use
cracking software on the encrypted data – and if they are determined,
and lucky, they’ll break in, no matter how strong a password you use.
That means it’s doubly important to change passwords if they are reused
elsewhere. If you have used a weak password, though, it will be easier
for criminals to “crack” yours. A We Live Security guide to creating a stronger password is here.
Phish alert! Be very, very careful about emails from the company
When a breach occurs, the company may well email you – but
be wary, cybercriminals will see this as an opportunity, too. Harley
says, “Bear in mind that it’s not unknown for scammers to use breaches
like this as a starting point for fake alerts used for phishing
purposes. If you get an alert that contains links that require you to
enter your password so that you can change it, or to access further
information, treat it as suspicious. Rather than follow the link, go to a
page you know is genuine and drill down from there.”
Don’t just change one password
Once a big breach has hit the news, most users change their
passwords – or are forced to. But the criminals may target email
services with the passwords – so it’s a good idea to have a clean sweep
of online services you use, such as email, social networking and storage
sites such as Dropbox. Harley says, “Where your login credentials have
been revealed, it’s obviously a good idea to change your password, and
in fact the compromised site may force you to do so. However, an
attacker is likely to assume that you use the same credentials on other
sites, and he may try them on other sites of interest to him. (Of
course, they may not be sites of interest to you.) So it’s a good idea
(if an irksome task) to change your password on other sites that do use
the same credentials.”
Don’t set yourself up for a fall
Internet users get asked for passwords dozens of times a
week – so it’s only natural passwords DO get reused. Harley advises that
one approach is to save your “good” email and strong passwords for the
sites that matter, “Some people use a different username and standard
‘throwaway’ password on sites that don’t really matter and that they’re
unlikely ever to visit again. If you do this, be sure that you use
something individual and harder to crack on sites that do matter, or
might in the future.”
No comments:
Post a Comment