Adobe admitted this week that 38 million of its users
may have had their ID and passwords leaked. Sadly, Adobe is not the first big
site to break this sort of news to its users. Sony, Evernote, LinkedIn - there are dozens of companies
which have fallen victim to hackers over the past few years, leaking
everything from credit card details to email addresses, and often
affecting millions or tens of millions.
What should you do when this happens? You’ll often – but not
always – get an email from the company explaining what’s happening, and
what to do. But the advice you’re offered by the company might be the
bare minimum you can do to stay safe – and our tips offer a few extra
safeguards.
It’s worth checking company sites in the event of any
breach – you’ll often find more detail there, and advice on specific
risks. Even company Twitter feeds can help. Adobe, for instance, offers some good advice for its users here.
Don’t always believe what they tell you
In the first few hours after a major breach, the company
itself may not be aware of the extent of the attack – and may be
attempting to “manage” the crisis. Often, there isn’t much you can do when a major company
screws up. And in fact, some companies may try to try to gloss
over the breach by not notifying individual users unless they know that
they’re likely to be affected.
Been “reassured” by email? Stay alert
In many breaches, the news is not announced via company
sites or Twitter feeds – it’s first sent as an email to users. But
breaches can turn out to be far worse than they appear – to take Adobe’s
example, it initially seemed that “only” three million users were
affected.
As such, take as many precautions as you can, regardless of what the
email says. If a
company does notify you individually, it’s important that you take it seriously
and consider carefully whatever advice they give you. Equally important, bear in mind the fact that such notifications may play down the threat
for PR reasons, and in any case the company’s understanding of the
security implications may be incomplete.”
The word “encrypted” doesn’t always mean you’re safe – nor does a strong password
When hackers break into a company and leak huge amounts of encrypted
IDs and passwords, companies often trumpet the fact that the data was
“encrypted” – but there are different levels of encryption, and once
leaked, cybercriminals will use specialised software to extract
passwords. Once the data is out there, criminals have months to use cracking software on the encrypted data – and if they are determined, and lucky, they’ll break in, no matter how strong a password you used is. That means it’s doubly important to change passwords if they are reused elsewhere. If you have used a weak password, though, it will be easier for criminals to “crack” yours. Here is a guide on how to create a strong password
Phish alert! Be very, very careful about emails from the company
When a breach occurs, the company may send you an email – but
be wary, cybercriminals will see this as an opportunity, too. Bear in mind that it’s not unknown for scammers to use breaches
like this as a starting point for fake alerts used for phishing
purposes. If you get an alert that contains links that require you to
enter your password so that you can change it, or to access further
information, treat it as suspicious. Rather than follow the link, go to a
page you know is genuine and drill down from there.”
Don’t just change one password
Once a big breach has hit the news, most users change their
passwords – or are forced to. But the criminals may target email
services with the passwords – so it’s a good idea to have a clean sweep
of online services you use, such as email, social networking and storage
sites such as Dropbox.
When your login credentials have
been revealed, it’s obviously a good idea to change your password, and
in fact the compromised site may force you to do so. However, an
attacker is likely to assume that you use the same credentials on other
sites, and he may try them on other sites of interest to him. So it’s a good idea to change your password on other sites that do use
the same credentials.”
Don’t set yourself up for a fall
Internet users get asked for passwords dozens of times a
week. It's important to save your “good” email and strong passwords for the
sites that matter. Some people use a different username and standard
‘throwaway’ password on sites that don’t really matter and that they’re
unlikely ever to visit again. If you do this, be sure that you use
something individual and harder to crack on sites that do matter, or
might in the future.”