Yahoo! Hacked… Again

Share This:

Yahoo has been hacked… again. News that the company was breached back in 2013, and the personal information of more than one billion of its users was stolen, should serve as a reminder that everyone’s email and personal information is vulnerable to hacking.

yahoo-data-breach

Safeguards you can take include creating strong passwords and changing them regularly. If you do not manage your passwords properly, you could be putting your personal or financial information and our identity at risk.

Protecting Yourself with Strong Password Management

The more complicated and lengthy a password is, the harder it will be for hackers to guess.

Don’t include your kids’ names, birthdays or references to any other personal details. Hackers routinely troll Facebook and Twitter for clues to passwords like these. Obvious and default passwords such as “Password123” are also bad, as are words commonly found in dictionaries, as these are used in programs hackers have to automate guesses.

Long and random combinations of letters, numbers and other characters work best.

Your password reset questions should be as unique as possible too, and don’t be tempted to recycle those either. This was some of the information stolen in the Yahoo hack. And with the help of social media, it’s not hard for hackers to find those little personal tidbits like what your mother’s maiden name is, or the name of your hometown.

Reusing Old Passwords?

No. Avoid using the same password for multiple sites, so that a break of your school’s PTA site wouldn’t lead hackers to your online banking account.

You can make things easier on yourself by using a password-manager service such as LastPass. Password managers can remember complex passwords for you — but you have to trust them.

Changing Your Passwords

While some security experts argue that it’s more important to pick a complicated password than to change them frequently, if you haven’t changed your Yahoo password since 2013 do it now.

And even if you have changed your Yahoo password in the last three years, you might want to do it anyway. Breaches are often worse than they first appear. LinkedIn disclosed earlier this year that a 2012 breach affected 117 million accounts — not the 6.5 million previously thought.

Multi-Factor Identification

Multi-factor identification — which asks users to enter a second form of identification, such as a code texted to their phone — will provide additional protections. It’s now commonplace for many email and social media accounts.

Even if hackers manage to get your password they still need your phone with the texted code.

Closing Old Accounts

Delete or deactivate accounts you no longer use. Has your Yahoo email account been filled with spam since before the invention of smartphones? Maybe it’s time to say goodbye.

You can learn more about LastPass here.

Share This:

Another Reason to Consider LastPass

Security. I talk about it here. Managing your passwords. Mission Critical. I revisit this topic regularly because it is so important. One of my favorite solutions for getting control of your online security is LastPass.  Today LastPass just got a little cheaper.

LastPass announced today that you will no longer need a paid Premium account to access the service on multiple devices. This feature is now free for everyone.

“Starting today, you can use LastPass on any device, anywhere, for free,” LastPass’s Joe Siegrist writes in the LastPass blog. “No matter where you need your passwords—on your desktop, laptop, tablet, or phone—you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.”

This is great news for anyone who relies on the security and availability of LastPass—which both generates and stores complex passwords for multiple services—but can’t afford the Premium service. Granted, Premium is a reasonable $12 per year.

If you’re already using the free LastPass service, which previously limited the number of devices you could use, you’re all set: You can now use the service across an unlimited number of devices. If you were previously paying for LastPass Premium to use this feature, you just need to wait until your Premium subscription expires; at that time, your account will automatically convert to a free account.

That said, LastPass Premium still provides enough functionality to more than warrant its cost. Features include:

  • Family password sharing with up to five users
  • Ad-free experience
  • Yubikey and Sesame 2FA options
  • Priority tech support
  • LastPass for applications
  • Desktop fingerprint identification
  • 1 GB of encrypted file storage

You can find out more at the LastPass web site.

Share This:

500 Million Yahoo Accounts Hacked

yahooIf you have a Yahoo account you should immediately change your password. Yahoo has been hit with a hack that has exposed 500+ Million accounts. Yes 500 Million. What makes this worse is that this hack occurred back in 2014 but only now has this information been released to the public.

Information including names, addresses, secret answers and passwords was stolen from Yahoo at some point in late 2014 and showed up for sale on the dark web in August this year. Yahoo says the “vast majority” of passwords were secured using an algorithm called bcrypt, which renders it impractically expensive for an attacker to try to break, but the Yahoo has not given any way of checking which passwords were actually stolen. Until they do, you should assume your password is unprotected, and act aquickly.

This means even if you no longer use Yahoo – but you did back in 2014 you should log back into it and change your password – without delay.

You should also change the security information for any account that used the same passwords or security answers as your Yahoo account. This means if your Yahoo account used your mother’s maiden name, you are safest if you start using a different security question.

This advice doesn’t just apply to the people who had a Yahoo webmail account. A number of other popular services shared Yahoo logins, most notably BT Internet’s webmail service, and online photo storage service Flickr. Former users of other Yahoo properties including social bookmarking service Del.icio.us may also have Yahoo accounts without being aware.

Protecting Your Online Information Is Serious Business

As I have recommended many times. Everyone should take their online security very seriously. Hacking and stealing our online information is – in many ways the crime of the future, and the future is now.  One of the best – and easiest ways to do this today is by using a password manager like LastPass. With password managers you can enjoy some sense of online security by using different encrypted passwords for each and everyone of your online accounts.

Share This:

69 Million Dropbox Accounts Hacked

dropbox-hackedIt’s been a while since a posted a story about a security breach. Well – that streak is over.

Dropbox users who have not updated their passwords over the past four years should do so immediately because more than 68 million records from Dropbox accounts hacked in 2012 have now appeared online.

It was learned yesterday that the compromised Dropbox files showing up online included both user email addresses and hashed passwords. The information appears to have stemmed from a breach reported by Dropbox in 2012, the publication said.

This latest development indicates that the 2012 breach had the potential for far more fallout than Dropbox initially revealed to users.

Users who signed up for the service before mid-2012 and haven’t changed their passwords since then would receive a prompt to update them the next time they signed in, Patrick Heim, Dropbox’s head of trust and security, wrote in a blog post last week. Heim wrote, That while there was no sign that users accounts had been improperly accessed, Dropbox’s security teams recommended such precautions based on threat monitoring related to old credentials that were hacked in 2012.

Patrick Heim also stated that Dropbox had already emailed “all users we believed were affected and completed a password reset for anyone who hadn’t updated their password since mid-2012.” That ensures that even if hackers could crack the compromised credentials, they would not be able to access users’ Dropbox accounts.

Dropbox Users – Change Your Password

If you have a Dropbox account I would take the time to change your password regardless. Also if you are using online services such as Dropbox you should also delete old accounts that you no longer use and of course avoid reusing the same passwords on multiple sites and be wary of third-party integration that lets users, for example, access games or other applications via a Facebook or Dropbox login

Manage You Passwords!

Also – as I have suggested many times in the past invest in a password manager like LastPass. You life will be much easier… and more secure.

 

Share This:

The Case for Password Managers

Here is something that probably drives you crazy. Passwords. How many times do you have to reset your password? How much time do you lose trying to figure out just what your password is for a particular website? Do you panic when you hear about another security breach and have you ever feared that your personal information has been stolen?

We are live in a digital world and there is nothing we can do about that. Passwords and security are simply going to continue to become more difficult and harder for us to manage. I believe that the best way for you to safely and efficiently manage your online security is by investing your time (and sometimes a little cash) in a good password manager.

Using a password manager will address these problems that most of us face as we travel through the digital universe.

  1. Error messages galore – It’s annoying to type out a password, especially as password requirements get more complex. And many times, we type them in wrong. This is even more of a problem using the small keyboards on a smartphone or tablet. With a password manager, your password is automatically filled in for you when it detects the login screen, or you can easily tap the password for entry into a mobile app.
  1. The forgotten password lock-out – Enter that password one too many times, and boom – you’re locked out. Again. That’s the last thing you want to deal with when you’re logging in to pay your credit card on time or need to respond to an email quickly. Password managers never forget the stuff you’ve stored in them, and that stuff includes your passwords. Never get locked out again with a password manager.
  1. The reset (the aftermath of the lock-out) – Once you’ve finally admitted that you can’t remember your password, you have to go through the painful and usually time-consuming password reset process. Will the link to reset your password come through immediately? Or in a few hours? No one knows, and no one has time for that.
  1. Creating a tough as $%!t password – With the increased frequency of breaches, many sites are implementing stronger password requirements – 35 characters, 6 symbols, uppercase, lowercase – who can remember all that?! Thankfully, we have the technology of a password manager for that. Not only can it create that complicated password in one click, it remembers it without any work on your part.
  1. What’s your Wi-Fi, again? – You have friends over for game night and everyone wants to control the music from their own phone. But before they can do that, you get the age-old question, “What’s your Wi-Fi password?” And a 15-minute delay ensues as you try to track it down again. Ah! But with a password manager like LastPass, you’ll have it right where you want it. Simply store your Wi-Fi credentials in a Secure Note, and share that Note with your friends so you don’t ever have to dig up and spell out your Wi-Fi password again.
  1. Your billing address is not correct – You’re shopping online, just buying a new pair of shoes, but as soon as you enter your name, the browser populates your billing and shipping information with your office address. As much as you’d love to charge those new shoes to work, that won’t fly. With LastPass, you can create profiles for your credit cards so you don’t need to enter the information each time – LastPass just fills it in for you automatically.
  1. Post-breach password changes – The modern reality is that passwords are a hot commodity and hackers are going to keep trying to steal them. After each new breach, we as consumers run around changing this password or that one, which can be a hassle and quite time-consuming. But password managers like LastPass can help you figure out where you’ve reused the same password that was breached, and will even automatically change passwords for you making it extremely easy to be extremely secure.
  1. Not having a password when you need it – It’s happened to everyone. You’re on the go – running errands, away for the weekend – and you get an email that your electric bill is due – today! Normally that’s not a problem, but the password for your electric company account is stored in your browser or on a sticky note next to your computer, which isn’t helpful now. With a password manager you have access to your passwords wherever you are, from any device. So paying your electric bill from a rest stop on the side of the highway is no big deal.

Take a look back at this list. How many of these frustrations have you dealt with just in the last month? Passwords aren’t going away; they’re actually becoming more of a pain, but they don’t have to be.

My favorite password manager is LastPass but there are others out there as well. You can learn about many of the best password managers by checking out this PC Magazine article.

Share This:

Netflix & Amazon Urge Users to Change Their Passwords

Both Netflix and Amazon are warning some customers that their accounts may be at risk and are urging them to change their passwords. This appears to be the first major effects of the massive database breaches that have surfaced during the past month.

The emails, which have started to surface in more and more inboxes recently, warn the recipient that their credentials may have been found in a cache of passwords and emails that made their way online. Both Amazon and Netflix assure their customers that neither company was directly breached.

In both the cases of Netflix and Amazon, the services have created temporary passwords for users who have been caught in the leaks. The security step was taken because “many customers reuse their passwords on multiple websites,” according to the email delivered by Amazon.

The belief that users have reused passwords is probably a correct one. Many people still use the same password across many accounts, which is a major problem and why Amazon and Netflix are moving forward with there urging of their customers to change their password.

This precautions taken by Netflix and Amazon follows several weeks of an unprecedented amount of usernames and passwords stolen from major sites and services.

Recent History of Large Services Hacked

A total of 167 million accounts from LinkedIn, the result of a 2012 breach, surfaced in May after appearing available for sale on a dark net marketplace. Just weeks later, 427 million credentials from MySpace appeared online, the result of an apparently unreported breach of the social network’s databases. Sixty-five million Tumblr accounts that were stolen in 2013 were acquired at the end of May. In June, 32 million credentials from Twitter users were put up for sale on the dark web, though Twitter denies it was ever the victim of a hack.

Screenshot of Netflix’s Password Change Notification

Change Your Passwords

Even if you don’t get an email from Netflix or Amazon—or any other company taking extra steps to protect their customers—suggesting a password change, now is the perfect opportunity to do it.

First, you can check to see if your account appears in any of the recent breaches by using the free tools offered by LeakedSource, an online database of stolen credentials, or Have I Been Pwned, a collection of compromised usernames and passwords maintained by security expert Troy Hunt. Regardless if you appear on either list, it never hurts to refresh your current protection.

When filling out the password form, make sure to use a unique combination that isn’t in use for any other account belonging to you; a breach of one service can create a domino effect and compromise you later.

Make sure to use a combination of words, numbers, symbols, and upper and lowercase letters. Try to avoid anything easily guessable—anything on the list of most common passwords is a nonstarter—and keep away from publicly available personal information like your birthday.

Use a Password Manager

I have suggested this countless times here, on this fine technology blog as well as to my workmates, friends and family. Invest in a Password Manager like “LastPass”. Password Managers can take a daunting job (like having strong, encrypted and unique passwords) and making is very easy. Those of us using a password manager have very little to fear from security hacks like the ones mentioned here.

Consider Two-Factor Authentication

Consider using “two-factor authentication” for your important online accounts, especially financial accounts. These are becoming easier to use. The one I recommend is Google’s Authentication. You can learn more here.

Share This:

45 Million Records Exposed in Latesed Hack

Just one day after training our staff about the need to take our online security seriously and how password managers are critical we were presented only one day later with yet another news story of millions of online hacked accounts.

So what happened this time?

A hacker reportedly breached Toronto-based firm VerticalScope’s systems and stole 45 million records from its network of more than 1,100 websites and forums. The attack was reportedly carried out this past February.

This 5 month delay is another problem with these hacks. All of these months have passed by while none of the victims were notified.

1k websites suffer data breaches thanks to VerticalScope hack

This is what a “hack” looks like as the software attempts to d-crypt passwords.

The company operates many large properties for automotive, sports, outdoor, health and hobby enthusiasts, including AutoGuide.com, Motorcycle.com, Boat.com,TennisUniverse.com, PetGuide.com and Mothering.com.

It isn’t clear who was behind the attack, and to date VerticalScope hasn’t made a public statement about the breach.

LeakedSource, which indexes hacked credentials from data breaches, obtained a copy of the database and says that it also found IP addresses in the records.

It also noted that ‘less than 10% of the domains which account for a very small amount of leaked records used difficult to break encryption (less than a couple million).’ More than 40 million other passwords were secured using MD5 with salting, which is easy enough to crack.

There was something strange about the passwords that came up most frequently in this database.

Unlike the recent Twitter user hack, in which LeakedSource found the most common passwords to be ‘123456’, followed by ‘123456789’, ‘qwerty’ and ‘password’, a number of seemingly random strings made the top 10 list this time, including ’18atcskd2w’ at the no. 2 spot and ‘3rjs1la7qe’ at no. 4.

Troy Hunt, the creator of data breach tracker Have I Been Pwned?, said that, “This could be due to data inconsistencies in the source, issues with how the hacker exported them or tampering by someone else who’s handled it downstream of them.”

Akash Mahajan, Director at Web app security firm AppSecco, noted that this anomaly could also point to site-wide mandates enforced by administrators when trying to secure the database, or reset passwords for a number of users.

If you have an account on any of the forums run by VerticalScope, you’ll certainly want to change your password immediately.

Share This:

Zuckerberg’s Password Security Reminder

Here is a news story that again places password security front and center. Facebook founder Mark Zuckerberg has reportedly had his social media accounts hacked by a Saudi based group that discovered his password. What was Zuckerberg’s social media password? It was ‘dadada’. Not very secure and very easy for a cyber criminal to discover.

If the founder of Facebook can get hacked – so can you.

 

Here are 7 things you can do to stay safe.

First – Invest in a Password Manager!

I have written countless times about the benefits of using a password manager like LastPass to manage your online security. All of the tips noted below are made so much easier through a password manager. I cannot recommend LastPass enough.

Pick a Good Password

The more complicated and lengthy a password is, the harder it will be for hackers to guess.

Don’t include your kids’ names, birthdays or references to any other personal details. Hackers routinely troll Facebook and Twitter for clues to passwords like these. Obvious and default passwords such as “Password123” are also bad, as are words commonly found in dictionaries, as these are used in programs hackers have to automate guesses.

Long and random combinations of letters, numbers and other characters work best.

Don’t Reuse Passwords

Avoid using the same password for multiple sites, so that a break of your school’s PTA site wouldn’t lead hackers to your online banking account.

You can make things easier on yourself by using a password-manager service such as LastPass or DashLane. They remember complex passwords for you — but you have to trust them. Last June, LastPass disclosed “suspicious activity” and told users to change their master passwords.

Some web browsers such as Apple’s Safari and Google’s Chrome also have built-in password managers. They work if you switch devices but not if you switch browsers.

New Toothbrush? New Password!

It’s important to change your password regularly, just as good physical hygiene calls for replacing your toothbrush every few months.

And don’t be tempted to recycle an old one. The longer a password sits around, the more likely it is to fall into the wrong hands.

And if company announces that it’s been hacked, change your password right away, even if it says your information wasn’t compromised. Breaches are often worse than they first appear. LinkedIn recently disclosed that a 2012 breach affected 117 million accounts — not the 6.5 million previously thought.

Make It Harder

Multi-factor identification — which asks users to enter a second form of identification, such as a code texted to their phone — will provide additional protections at services that offer it.

Even if hackers manage to get your password to, say, Facebook, they still need your phone with the texted code. It’s not as much of a pain as it seems, as services typically ask for this second code only when logging on from a new device or browser.

Take Out the Trash

Delete or deactivate accounts you no longer use. Got a spam-filled Juno or AOL email account lying dormant? Maybe it’s time to say goodbye.

Just last week, Myspace said a hacker has put up for sale login information for some accounts created before June 11, 2013.

If, like most people, you’ve moved on to greener social media pastures, permanently get rid of the ones you no longer use. This often can be done through your account settings — as long as you still have your password to sign in.

Social Media

And while we’re on the subject of social media, make sure you restrict posts to just your actual friends. You can adjust that in the settings.

Some companies try to help their users with this. Facebook, for example, occasionally prompts its users to review who can see their personal information and how strong their security settings are.

Nonetheless, assume that everyone everywhere can see what you’re posting. Personal tidbits can not only help hackers crack easy passwords, they also can be used to answer supposedly personal questions to reset passwords.

You can learn more about LastPass by checking out some of my recent articles about the service here.

 

Share This:

117 Million LinkedIn Hacked Passwords Up for Sale

LinkedIn was hacked four years ago and more problems from it have surfaced this week. The new information released reports that the 117 million user emails and passwords that had been stolen four years ago are now being offered for sale.

The June 2012 LinkedIn hack was originally believed to have involved 6.5 million passwords. However, a report yesterday by Motherboard said a dark Web marketplace and another site, LeakedSource, had both obtained data from 167 million hacked LinkedIn accounts which would mean that even more then the original reported leaked email addresses were stolen. Of those, 117 million included emails and passwords, the remaining accounts are believed to be of users who logged into the site via Facebook.

This is Not a New Security Breach

Wednesday’s report on Motherboard said the publication had learned from a hacker using the name “Peace” that emails and passwords from 117 million LinkedIn users were among the 167 million accounts held in a hacked database posted for sale on The Real Deal, a dark Web marketplace. Peace was seeking five bitcoins — about $2,250 at today’s exchange rate — for the data.

The publication reported that the database of LinkedIn account information was also in the hands of LeakedSource, a paid-subscriber site that allows people to look up whether their online username or password data has been found to be publicly available on the Web.

LinkedIn responded to Motherboard’s report in a blog post on Wednesday by Chief Information Security Officer Cory Scott.

“We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords,” Scott wrote. “We have no indication that this is as a result of a new security breach.”

LinkedIn Looking for Suspicious Activity

While the LinkedIn passwords hacked in 2012 were protected using the SHA-1 hash algorithm, they were not “salted,” which provides further protection with the addition of random data to hashed passwords. Without that added protection, passwords and other hacked data are easier to crack.

According to Motherboard, a person at LeakedSource said site personnel had been able to break into around 90 percent of the hacked LinkedIn passwords within three days.

A post published Tuesday on LeakedSource said LinkedIn users who found their information on the site could ask for that information to be removed from its database at no cost. The site also posted a list of the top passwords it had identified in the hacked data, indicating that many hundreds of thousands of users had chosen easily broken passwords such as “123456,” “linkedin” and “password.”

In Wednesday’s blog post, Scott noted that LinkedIn has “for several years” both hashed and salted all its user passwords. He added the site also encourages members to use other available LinkedIn tools such as email challenges and dual-factor authentication.

A blog update posted later in the day said that LinkedIn was using automated tools to look for and block any suspicious activity on affected accounts. It added, “We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply.”

Protect Your Passwords

This is another story that demonstrates the importance that you can not trust others with your security. Your passwords should be complex and encrypted. This is easily achievable by using password managers such as LastPass. Also when possible use two-factor authentication.

Share This:

Latest Password Scare Effects 272 Million Users

We use them every day, and they’re crucially important. However we are often lazy and careless about them. That’s right. I am talking about Passwords. The importance of keeping Passwords secure is once again in the news after news emerged last week of a data breach that put more than 272 million passwords and account credentials at risk.

Milwaukee-based cybersecurity firm Hold Security reported that a Russian hacker had offered a tranche of 1.17 billion credentials for about $1, because the cybercriminal was more interested in the notoriety that the theft of the cache would bring in the hacker community. The passwords and usernames belonged to accounts from Russia’s largest e-mail provider, Mail.Ru, as well as to Gmail, Yahoo Mail and Microsoft Hotmail.

Passwords for Sale

Of course only about 272 million of the credentials were unique. In addition, none of the passwords were encrypted. It was determined that the credentials were probably gathered from older data breaches and were meant to be sold cheaply to lower-level hackers and spammers.

Do NOT Reuse Your Passwords

Even though the hack did not turn out to be as disastrous as it could have been, this is a good excuse to preach the importance of carefully managing your passwords.

One key step is to avoid reusing the same password between services, such as using the same password to access a bank account that’s used for an e-mail service.

If you avoid reusing passwords, you can quickly identify which service provided the password and [whether] there is any risk to your other accounts.

Hackers often use stolen e-mail information to get users to give them information such as birthdates, credit card numbers as well as bank account numbers. In 2014, cybercriminals stole $16 billion from nearly 13 million consumers.

Change You Passwords Often

Passwords should be changed regularly, perhaps even once a month, according to security experts. Also you should not use the names of your children or pets as passwords, since that type of information can be easily found on Facebook and other online outlets.

Two-Factor Authentication 

In addition to changing your passwords frequently you should take advantage of two-factor authentication, which requires a user to input a separate verification code from a device separate from the one where the password was entered.

Employing unusual combinations of letters, numbers and characters can also be a good way to create a password that’s harder to crack. And mixing languages or even running together song lyrics can deter hacking programs.

Password Managers

I have recommended password managers for years now and my favorite of these is LastPass. With password managers, such as LastPass you can create encrypted passwords easily and never needing to worry about remembering all those passwords.

Password security is no less important, and perhaps more so then locking your home when your are gone or leaving your wallet or purse unattended in a public place.

You can read some of my previous posts about LastPass here.

Share This:

1 2 3 4