Guest post by Dean Wiech, managing director, Tools4ever.
Once again, the media abuzz with a massive theft – 1.2 billion email addresses and password – by a hacking group supposedly based out of Russia. In a case like this, it does not matter how secure your password is – lots of characters, number, upper and lower case, etc. — because the hackers accessed the providers and pulled the information. This type of attack is much different than someone breaking into your computer or smart device and stealing the confidential information from there where a thief might be able to directly access all your accounts. In this case, they “might” be able to access your email account and then again, they might not.
There a couple of interesting items left out of all the various stories. First, were the passwords encrypted? It seems that any self-respecting form that is strong passwords in conjunction with a user name would do something as simple as an encryption algorithm and not store them in plain text. If they were encrypted, were they stored using an irreversible hash with a leading edge algorithm? Many techniques are readily available to insure encryption with hashing, salting and obfuscation, cannot be easily broken, if at all.
The other thing that has not been explicitly mentioned is what sites were hacked. We hear that upwards of 500,000 websites could have been hacked, but no one is coming forward to name any specific sites. Were Facebook, Gmail, Hotmail or other major sites compromised? If so, why are they not sending out notifications to change passwords in a similar fashion to what eBay did back in May when they were attacked?
Let’s assume, for a moment, the providers figured no one could ever hack into their systems so the passwords were stored in plain text along with the email addresses. How can we protect ourselves from these diabolical hackers? The answer is quite easy – change your passwords on all of your accounts and do it on a regular basis. If all 1.2 billion users that had their information stolen did this tomorrow, the hacked information would become useless overnight.