On December 4th, news reports emerged about nearly two million passwords for Facebook, Gmail, Yahoo, Twitter, LinkedIn, and other popular web services being stolen over the last few months. CNN Money reported that the passwords weren’t actually leaked by those services, however; instead, they were culled from individual computers infected by a malicious keylogging virus.
Once a user entered his or her username and password, those credentials were then sent to proxy servers controlled by hackers. John Miller, security research manager at Trustwave, told ABC News that the hackers were most likely motivated by profit. “These passwords were never publicly posted,” he said. “We can’t say for sure, but [the hackers] were probably going to sell them.”
SpiderLabs, a research arm of security firm Trustwave, discovered the hacked information while doing a routine Internet botnet sweep in November. But NBC News reported that the majority of the passwords were of the garden variety, with “123456” topping the list — “123456789” came in second — while over half of the hacked passwords used a single character type like all numbers or all upper-case letters.
What can you do to keep your personal and business accounts safe from password hackers? CMIT Solutions recommends the five tips below.
1) Change your passwords! Use the same password for multiple websites and services? You’re precisely the user that cybercriminals like those described above love to target. Creating strong and unique passwords at least eight characters long that mix upper- and lower-case numbers, letters, and symbols — think “P@ssw0rd#33” instead of “password33” — are a necessity for online security.
2) Always take advantage of two-factor authentication. Facebook has highlighted its two-factor authentication tool, which requires a passcode entered from your mobile device as well as a standard one. Twitter, Yahoo, Google, and other major services also offer this option, so make sure to explore it in your account settings.
3) Ensure that anti-virus software and security patches are up to date. This task is probably best left to your IT professional. Don’t have one? That’s where proactive maintenance and monitoring services like CMIT Marathon come in. Marathon’s built-in anti-virus software can stop malicious viruses like the one used to hack over two million passwords in their tracks.
4) Employ a password management tool like LastPass and Dashlane. Both of these services rely on two-factor authentication; encrypt password data at storage and transfer points; auto-fill forms; and generate strong, randomized passwords. Want an “easy” button for password management? These tools provide it, in particular for businesses subject to industry regulations like HIPAA, FINRA, and PCI.
5) Check other personal and business accounts to ensure they weren’t hacked. Facebook, Yahoo, Google, Twitter, and other services listed on Trustwave’s report leaped into action once the news was revealed, resetting passwords and urging users to use two-factor authentication. But since the hack didn’t technically occur on their watch, they aren’t required to notify you. If any site has required you to reset a password recently, check all of your protected accounts to make sure they haven’t also been hacked.
Concerned about keeping your personal information and business data safe? Worried that password management represents only one small slice of your technological healthy? Call or email CMIT Solutions today — we take your online security seriously!