Guest post by Dean Wiech, managing director, Tools4ever.
Once again, the media abuzz with a massive theft – 1.2 billion email addresses and password – by a hacking group supposedly based out of Russia. In a case like this, it does not matter how secure your password is – lots of characters, number, upper and lower case, etc. — because the hackers accessed the providers and pulled the information. This type of attack is much different than someone breaking into your computer or smart device and stealing the confidential information from there where a thief might be able to directly access all your accounts. In this case, they “might” be able to access your email account and then again, they might not.
There a couple of interesting items left out of all the various stories. First, were the passwords encrypted? It seems that any self-respecting form that is strong passwords in conjunction with a user name would do something as simple as an encryption algorithm and not store them in plain text. If they were encrypted, were they stored using an irreversible hash with a leading edge algorithm? Many techniques are readily available to insure encryption with hashing, salting and obfuscation, cannot be easily broken, if at all.
The other thing that has not been explicitly mentioned is what sites were hacked. We hear that upwards of 500,000 websites could have been hacked, but no one is coming forward to name any specific sites. Were Facebook, Gmail, Hotmail or other major sites compromised? If so, why are they not sending out notifications to change passwords in a similar fashion to what eBay did back in May when they were attacked?
Let’s assume, for a moment, the providers figured no one could ever hack into their systems so the passwords were stored in plain text along with the email addresses. How can we protect ourselves from these diabolical hackers? The answer is quite easy – change your passwords on all of your accounts and do it on a regular basis. If all 1.2 billion users that had their information stolen did this tomorrow, the hacked information would become useless overnight.
Let’s assume for a moment that the passwords were encrypted and everybody changes their password today. What do the hackers have now? Email addresses – and lots of them – to attempt to run phishing scams or simply push spam, too. Either way could be a lucrative endeavor with that many addresses.
While there are many methods to improve security on user and customer accounts – such as two-factor authentication or pass phrases that need to be entered in addition to a password, they all rely on the website owner to require more than just a password on the front end. Just like encrypting data on the backend is something website owner must do. The consumer, in this case, can do nothing more to protect themselves other than change their password in a reactive method.
Also of interest in this case is a recent Forbes columnist noting that the story, predictably, caused panic as the story went viral. At this point in time, no other organization has been able to verify the theft besides the security firm that initially reported the breach, Hold Security. They are currently offering consumers an Identity Protection service, at a cost, to determine if their credentials were in fact stolen. Besides sending them money, you also need to provide your user email and password, albeit encrypted.
Could this be a case of a company creating a media hype just for their financial gain? No one knows for certain. For me, I will be busy the rest of the day changing my password on every site that I can remember registering on.