Have you heard about the wave of recent automatic password resets announced by tech companies and services like Facebook, Twitter, Tumblr, LinkedIn, Netflix, MySpace, LogMeIn, GitHub, and GoToMyPC? In the last two months alone, some reports estimate that nearly 650 million passwords became publicly available, with most of them being sold on the hacker black market.
What’s really interesting about all of these announcements is that many of them stem from data breaches that occurred years ago. LinkedIn’s original breach happened in 2012, but it’s still having ramifications, as Citrix announced a password re-use attack related to the LinkedIn breach occurred in June and resulted in critical data being exfiltrated from at least 30 organizations. The MySpace hack occurred sometime between 2007 and 2012, while the Tumblr breach took place in 2013.
You might think this would all have little effect on Internet security today. But since so many users employ the same login and password combination on multiple sites, hackers are trying brute force attacks to log in and steal data from other services. And once a cybercriminal gains access to your social media, email, or financial accounts, chaos can rein in the form of social engineering and phishing attempts.
That’s why so many sites and services are requiring users to update their credentials. But talk about a bad way to start the day — imagine showing up to work and not being able to log in to critical functions, then losing time resetting passwords on one, two, five, or ten sites.
Luckily, any service worth its salt is being proactive: sending emails to users to notify them of the issues, leading from behind by automatically disabling old passwords, and scanning their systems looking for situations where personal data could be at risk.
But what can you do to keep your information safe?
1) First off, never use the same password across different online services, applications, and websites.
This makes it way too easy for hackers to disrupt the Internet and wreak the kind of havoc that has ensued this month.
2) Create new, strong, unique passwords that are different for each account.
We recommend passwords that consist of at least 10 different characters: lower-case and upper-case letters, numbers, and special characters. For instance, “P@ssword#33!” Instead of “password33.”
3) Don’t even try to remember all of those individual passwords.
Consumer-grade password managers like LastPass and DashLane work well, and the business-grade password management market is growing for those companies that require stricter access limits and a more robust suite of security solutions. If you’re unsure about using a password manager, try to tally up how much time you spend in one week resetting (and then trying to remember) passwords. It’s not worth it, believe us.
4) Always stay vigilant against phishing attempts.
We’ve said it a hundred times before but we’ll continue to repeat it: never open any attachment you’re not expecting from a specific user, and never click any suspicious link in an email, especially if the message looks different than those you’ve received from that contact in the past.
5) If it’s available, enable two-factor authentication on your online services and applications.
This entails you entering a password and also a unique code that’s texted or emailed to you. It adds another step to the process, but so far it’s the most foolproof way to prevent login hacks that can otherwise prove devastating.
There’s no avoiding the fact that online hacks, data breaches, and password resets are an unfortunate way of life. But with a smart security strategy and a strong IT provider in your corner, you can keep your critical business information and personal data safe. Unsure about whether your passwords need to be reset or worried that your accounts have been hacked? Contact CMIT Solutions today.