Saturday, November 2, 2013

What to do when breaches put your ID at risk

Adobe admitted this week that 38 million of its users may have had their ID and passwords leaked. Sadly, Adobe is not the first big site to break this sort of news to its users. Sony, Evernote, LinkedIn - there are dozens of companies which have fallen victim to hackers over the past few years, leaking everything from credit card details to email addresses, and often affecting millions or tens of millions.

What should you do when this happens? You’ll often – but not always – get an email from the company explaining what’s happening, and what to do. But the advice you’re offered by the company might be the bare minimum you can do to stay safe – and our tips offer a few extra safeguards.

It’s worth checking company sites in the event of any breach – you’ll often find more detail there, and advice on specific risks. Even company Twitter feeds can help. Adobe, for instance, offers some good advice for its users here.

Don’t always believe what they tell you
In the first few hours after a major breach, the company itself may not be aware of the extent of the attack – and may be attempting to “manage” the crisis. Often, there isn’t much you can do when a major company screws up. And in fact, some companies may try to try to gloss over the breach by not notifying individual users unless they know that they’re likely to be affected. 

Been “reassured” by email? Stay alert
In many breaches, the news is not announced via company sites or Twitter feeds – it’s first sent as an email to users. But breaches can turn out to be far worse than they appear – to take Adobe’s example, it initially seemed that “only” three million users were affected.

As such, take as many precautions as you can, regardless of what the email says. If a company does notify you individually, it’s important that you take it seriously and consider carefully whatever advice they give you. Equally important, bear in mind the fact that such notifications may play down the threat for PR reasons, and in any case the company’s understanding of the security implications may be incomplete.”

The word “encrypted” doesn’t always mean you’re safe – nor does a strong password
When hackers break into a company and leak huge amounts of encrypted IDs and passwords, companies often trumpet the fact that the data was “encrypted” – but there are different levels of encryption, and once leaked, cybercriminals will use specialised software to extract passwords.

Once the data is out there, criminals have months to use cracking software on the encrypted data – and if they are determined, and lucky, they’ll break in, no matter how strong a password you used is. That means it’s doubly important to change passwords if they are reused elsewhere. If you have used a weak password, though, it will be easier for criminals to “crack” yours. Here is a guide on how to create a strong password

Phish alert! Be very, very careful about emails from the company
When a breach occurs, the company may send you an email – but be wary, cybercriminals will see this as an opportunity, too. Bear in mind that it’s not unknown for scammers to use breaches like this as a starting point for fake alerts used for phishing purposes. If you get an alert that contains links that require you to enter your password so that you can change it, or to access further information, treat it as suspicious. Rather than follow the link, go to a page you know is genuine and drill down from there.”

Don’t just change one password
Once a big breach has hit the news, most users change their passwords – or are forced to. But the criminals may target email services with the passwords – so it’s a good idea to have a clean sweep of online services you use, such as email, social networking and storage sites such as Dropbox.

When your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. So it’s a good idea to change your password on other sites that do use the same credentials.”

Don’t set yourself up for a fall
Internet users get asked for passwords dozens of times a week. It's important to save your “good” email and strong passwords for the sites that matter. Some people use a different username and standard ‘throwaway’ password on sites that don’t really matter and that they’re unlikely ever to visit again. If you do this, be sure that you use something individual and harder to crack on sites that do matter, or might in the future.”

Share

Twitter Delicious Facebook Linkedin Stumbleupon Favorites More