There’s no sugar-coating things: we live in the era of data hacks. Whereas the weeks leading up to New Year’s Eve used to be a time for taking stock of what we’ve accomplished during the year, adding and subtracting total pounds gained and lost, and an accounting of dead celebrities — well, OK, it’s still that. But now an item added to the list is “who got hacked this year?”
The answer, eventually, is just going to be “everyone.” Sure, there are always going to be the big names: the Marriotts, the British Airways, the Facebooks (again), the T-Mobiles. And then there’s the ones you never heard about, or forgot about (I’d completely blocked out the week of horror I felt when I found out MyFitnessPal was hacked – take my Social Security Number, take my payment information but for the love of all things holy, don’t make my weight public!)
The thing about these hacks is, while they are perpetrated on businesses, the victims are the individuals, and the bottom line is that some of your personal information is probably publicly available. Want to know for sure? Check out the website “Have I Been Pwned (HIBP)” (https://haveibeenpwned.com/). It’s an aggregator of data breaches created by Troy Hunt that allows you to enter your email address and find out if it has been involved in any compromised sites or incidents. Entering my primary personal address into the site resulted in a long and, frankly, unsurprising list, starting with the October 2013 Adobe breach and ending in the most recent “Collection #1.”
This last incident is, according to Hunt, the single largest breach ever to be loaded into HIBP. I highly recommend reading his post on the topic, because not only does it explain the subject far better than any summary I could create, it’s an incredible look into the world of breaches, how they happen and just how thorough Hunt is in vetting them.
Here’s the thing: We tend to think of data breaches far more simplistically than they actually are. We imagine that, for example, someone hacks Adobe, gets our username and password, and goes in and takes the credit card data. Well – sort of. But it’s more sophisticated than that, and Collection #1 (which is Hunt’s name for the January 2019 breach) is a good example of how much more sophisticated.
Collection #1, per Hunt, is a “set of email addresses and passwords totaling 2,692,818,238 rows. It’s made up of many different individual data breaches from literally thousands of different sources. … In total, there are 1,160,253,228 unique combinations of email addresses and passwords.” The 773 million records breached, according to Hunt, is the data that has been loaded into HIBP — after, he notes, “as much clean-up as I could reasonably do” — yes, Hunt is cleaning and vetting the hacked data.
More important, though, is what happened with that data. It was loaded onto cloud service MEGA (since removed), the link to which was being shared on a popular hacking forum.
So where is the danger, exactly? Let’s go back to Adobe. I’ve long since changed my password on Adobe – several times. But had I used that same combination of email address and password on other sites? Most likely. I, like many people, had the abysmally bad habit of reusing credentials, and that’s where you can really get into trouble. Credential stuffing attacks take usernames and passwords that have been exposed in one breach and try them on another, and if you’re reusing those passwords, you’re even more at risk.
And here’s another scam that involves those exposed passwords: Emails from someone who claims to have some dirt on you. Perhaps even video of you. And porn sites are involved. The kicker? The subject line of the email is a password you have used. And yes, I got a couple of these emails, and yeah, all logic kind of goes out the window when you see what is indeed one of your passwords — a decidedly insecure one but also not a terribly common word — right there in the subject line. You get scared for a second, especially when you see a ransom demanded in bitcoin (My first and second super-logical thoughts: “I don’t even know how to use bitcoin! Wait, I thought bitcoin wasn’t as valuable anymore.”) Only later came the more rational thoughts — like, there is logically no way this can be legitimate. A quick Google search confirmed those more rational thoughts.
It does, however, prove that old password of mine is indeed floating around the internet, available to anyone who wants to find it and try it.
So what do you do? Well, if you’re a business, there are clearly a number of steps you should have in effect, and an overall security plan, as well as a disaster backup and recovery plan. Both The Imaging Channel and Workflow have a number of resources on the subject.
But you’re not just a business owner or IT executive or front-line worker – you’re also an individual, and you need to know how to protect yourself. First step: if you’re not already, use a password manager. I repeat, USE A PASSWORD MANAGER. I’m not sure I can stress this enough: Use. A. Password. Manager. The two most-recommended are 1Password and LastPass. There are others, and I suggest you research and make your own decisions; I will say that I personally use LastPass. These systems also allow you to run checks on your passwords and identify where you are reusing passwords, allowing you to change them. Bottom line: you should not be using the same password on any two sites; not even variations of the same password.
But even password managers aren’t exempt: LastPass itself experienced a security breach a few years ago. LastPass stores its data in the cloud — although the decryption key, reportedly, never leaves your computer (if you are not a data engineer, by the way, your head could explode from trying to understand all the nitty-gritty. I consider myself fairly tech savvy and I’ve popped three Advil while writing this. “One-way salted hash”? Really?). My understanding is that 1Password offers a locally stored database option. Again – do your research. Within reason.
Other tips: change your passwords regularly, using your password manager to do so. Avoid publicly posting information that is commonly used as security recovery questions, like your first elementary school, birthday or mother’s maiden name (all of which can be found on most Facebook profiles). Use two-factor authentication where it’s available. And finally, use common sense. Phishing attacks are often successful because common sense flies out the window when we get scared or feel threatened. Question everything. Don’t open unknown email attachments. And finally, take a moment, breathe, and remember that you’ve prepared for the worst-case scenario. Don’t stop living your online life — just do it with caution.