How many times has your password been shared with hackers?
Dean Carlton MAICD, MIC (CMI) - Transformation Partner
Digital Transformation Advisor, Fractional & Interim Management Specialist, Program Director, Committee Chair, Director, Radio Presenter & Producer
Recent massive release of personal information may affect YOU
In January 2019, 2.7 billion records containing 800 million email addresses and 21 million unique passwords was published online – affecting millions of Australians. Dubbed ‘Collection #1’, this massive horde of personal security information represents less than 10% of the compilation available to hackers for just USD45. Thousands of data breaches have been amalgamated, including the likes of:
- Sony
- Domino’s
- Yahoo!
- Ashley Maddison
Most Australians are oblivious to the danger that these leaks pose to them, ranging from financial exposure, and for ‘Adult’ website users – even blackmail by so-called ‘sextortionists’.
Using a few simple and free tools, Australians can check whether they are affected and act to secure their accounts as well as protect themselves in the future… read on to find out how.
Four Simple Steps to Protect Against Hackers That Do Not Cost Anything!
You can check your current exposure to hackers, secure your accounts and protect yourself, your family and your business at no cost – can you think of any good reasons not to take immediate action to do so?! Just follow the following 4 simple steps:
- Check whether your details have been compromised
- Get yourself a password manager
- Protect yourself against phishing
- Protect yourself against viruses, spyware and other malware (malicious software) such as worms, and Trojan horses
Each of these steps is broken down and explained further below.
1. Check whether your details have been compromised
This single breach, called ‘Collection #1' is being sold to hackers in the form of lists that can be used for credential stuffing – a process where a computer repeatedly injects the breached username/password pairs into the login forms of various websites in order to fraudulently gain access to user accounts. Also available are ‘Collection #2' to ‘ Collection #5'. These are still being investigated…
In order to determine whether your personal details have been breached, I recommend making use of a free service provided by a cool Australian guy named Troy Hunt – who I am sure would not mind me referring to him as somewhat of a geek in this area! In fact, it was the work that Troy has done in publishing details of ‘Collection #1' that inspired me to share details of his services in this briefing.
Check your Email Addresses at the HIBP* site
Website: https://haveibeenpwned.com/
I have personally been using this website for years and trust it – and its creator, Troy.
- Visit the above website address.
- Type in your email address and press the ‘pwned?' button.
- If that email address has been compromised, you will be told so (by the message: ‘Oh no — pwned!').
- Below this message, you will be told how many websites your details have been compromised on – and more importantly, provide you with a list of those websites.
- If you are still using a compromised password on that website – or any other website – you need to change it as soon as you can.
- If your email address does not match any breach recorded – you are one of the lucky ones!
- Repeat the above steps for any other email address that you want to check. You can do this as often as you like.
Please note – whilst the HIBP database contains a huge volume of breached records, it does not claim to have everything that has ever been breached. So the rest of this article still applies to you if you wish to remain safe!
Businesses that have access to software developers can use APIs that Troy has published to perform bulk checking. See the website for further details.
* HIBP stands for ‘Have I Been Pwned?' – where Pwned (often pronounced as ‘Owned' or ‘Poned') is an internet slang term (‘leetspeak'), which means to conquer or gain ownership – dominating and humiliating a rival, or successfully gaining control/hacking a computer (I said Troy was a geek!).
Check your Passwords at the HIBP site
Website: https://haveibeenpwned.com/Passwords
This step may seem counter-intuitive – and very dodgy!
Troy explains how it is safe on his website (basically, the complete list of compromised passwords is stored anonymously, that is not connected to any individual in any way).
I can tell you that I have used this service personally. However, like the advice I give elsewhere in this article, you should do your own homework, check out Troy's (impressive) credentials, his explanations of why this is safe, and make your own judgement.
If you are in the slightest bit uncomfortable – that is a good thing! Just skip this step (you already know which websites you were compromised on), but please be sure that you heed the rest of the advice in this article regarding your passwords and online safety.
- Visit the above website address.
- Type in your password and press the ‘pwned?' button.
- If that password address been compromised anywhere for anybody at all, you will be told so (by the message: ‘Oh no — pwned!').
- Below this message, you will be told how many times that password been seen (compromised) before. No list of websites is provided this time – this is for security purposes.
- If you are still using the compromised password on any website – you need to change it as soon as you can.
- Repeat the above steps for any other passwords that you want to check. You can do this as often as you like.
Businesses that have access to software developers can use the ‘Pwned Passwords list' that Troy has published to perform bulk checking. See the website for further details.
Sign up for the free notification service
Website: https://haveibeenpwned.com/
- Visit the above website address.
- Click on ‘Notify me' on the top menu bar.
- Type in your email address, click/tick the box next to ‘I am not a robot' and press the ‘notify mer of pwnage' button.
- Repeat the above steps for any other email addresses that you want to monitor. You can do this as often as you like.
If your email address(es) are compromised, and Troy finds out about it, then you will be notified. If you are notified of another breach of your personal information, change your passwords as soon as you can and conduct another review of your security measures – are you remaining vigilant, or are you falling into bad habits again?
Find out what GOOD habits look like below.
2. Get yourself a password manager
A password manager takes the pain out of remembering all of your passwords, storing them all safely in a secure, encrypted place until you need them – in your web browser, or on your device. It will also help you to generate very secure passwords.
HINT: it will not be the name of your child or pet, 123456, qwerty, Password, Letmein, Login, Iloveyou, football – or any of the other ‘Most commonly used passwords' – just search for that phrase if you do not believe me.
There are plenty of choices available, depending on your circumstances, but I would recommend starting by looking at any of the following tried and tested password managers:
- LastPass – available for: Operating System (OS): Windows, macOS, Linux, Chrome, iOS, Android, Windows Mobile. Web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, Opera, Maxthon, Microsoft Edge . App Stores: App Store, Google Play, Windows Phone Find out more / download: https://www.lastpass.com
- Password – available for: Operating System (OS): Windows, macOS, Linux, Chrome, iOS, Android. Web browsers: Internet Explorer, Microsoft Edge, Mozilla Firefox, Google Chrome, Apple Safari, Opera. App Stores: App Store, Google Play Find out more / download: https://1password.com.
- Dashlane – available for: Operating System (OS): Windows, macOS, Linux, Chrome, iOS, Android. Web browsers: Chrome, Firefox, Internet Explorer, Safari, Microsoft Edge. App Stores: App Store, Google Play Find out more / download: https://www.dashlane.com
I have personally used LastPass for years (since I was hacked, actually) and have no hesitation in recommending it. The top Aussie bloke that I mentioned above (Troy) recommends 1Password – which actually integrates with the HIBP website that Troy maintains, and which will automatically check to see if you are using any of the 551,509,767 real world passwords that were previously exposed in data breaches. I am considering evaluating 1Password for my own use on that basis – I will update this post if I do so.
Sadly, despite me being a seriously experienced ‘industry insider', I allowed myself to be duped by Phishers who proceeded to purchase an expensive laptop and camera using my funds from a connected bank account. Seriously, I have had to manage THOUSANDS of passwords over the last 40 years and thought that I was careful, and that I knew better. My bank immediately recovered the fraudulently spent money, but my lesson was learned.
Also turn on two-factor authentication wherever it's available. Two-factor authentication ‘double-checks' that you really are the person that you claim to be, when you try to access your online accounts. Using only a username and password provides single-factor authentication – using just one thing to verify that you are who you say you are.
With two-factor authentication, you must provide two pieces of information to log in – your password and a code sent to your mobile device or your fingerprint. More and more websites are offering two-factor authentication as an option to secure your personal information – I recommend using this wherever you can.
Some critics of password managers say that they introduce a single point of failure – for example if the developer of the password manager is hacked, or if you simply lose / forget the master password to your password manager.
Overall, though these risks do exist, the advice is that you are still better off with a password manager than without.
3. Protect yourself against phishing
OK, what is Phishing?! The word is a neologism (newly created word) that is pronounced the same as fishing – and which derives from the idea that hackers use some kind of bait in order to try to catch a victim.
Phishing fraudulently attempts to obtain sensitive information such as usernames, passwords and credit card details. This is done by hackers disguising their communication such that it appears to originate from a trustworthy source. This is usually done through email spoofing, or instant messaging, and will often direct a user to enter their personal information at a fake website – that otherwise appears to be legitimate.
Always be vigilant online and on the telephone – including at work:
- Always trust your gut – if it seems dodgy or unusual – it probably is.
- Curiosity, trust, and fear are hardwired into us and Phishers play to this – recognise these emotions in you as they arise, before acting upon them – and consider that all might not be well.
- Emails – giveaways can include poor spelling or grammar, an impersonal greeting, the email being sent to multiple addresses.
- Try to avoid clicking links – hover over them, then type address into new browser if you are happy with it.
- Examine the email address carefully – I often get emails purporting to be from a trusted source, where the email address looks legitimate at first glance, but when you look closer, you can see several issues. Something like: [email protected] <[email protected]>. Unfortunately, whilst this will catch some spoof email – due to the insecure way email was designed in the 1980s, anyone can ‘spoof' the email senders name and even the senders email address in the From: field. The subject is impossible to cover in the scope of this article – but use the 4-step recommendations in this article to stay as safe as you can.
- Popup warnings may not originate from the page that you think they do – beware being asked for sensitive information.
- Popup warnings that are hard to close are almost ALWAYS trouble for you – you are likely to be ‘infected with malware', so it is safer to close the whole browser – even if you have to ‘kill' it, via your systems ‘Task Manager'.
- Close down any old online accounts that you do need – they are just one more unnecessary exposure to the risk of being hacked.
- Beware cold calls that threaten you, for example: ATO prosecution unless you pay late fine now, or your internet company have noticed you have been hacked, scare tactics such as closing your account, issuing a fine or any other urgent deadlines etc.
- The hacker/scammer will try to bully you into either revealing personal information (to ‘security check they are talking to the right person') – or to visit a webpage to reset (or rather steal) your password – or try to demonstrate that you are being attacked. Either way, you will end up inadvertently installing some sort of software (malware). This will either further compromise your security information over time – or they will offer to remove the software at a price – or otherwise seek to extort money/cryptocurrency from you.
- Be careful of shortened website addresses (URLs), always check where they lead before using them: check using a site such as www.checkshorturl.com which will expand it so that you can see where the link is trying to send you. Fake sites will harvest your security information to use on the real site.
- If in doubt, call the company on a verified number – verify the number via a source other than that provided by the email/website that you are concerned about. This tool: https://whois.domaintools.comshows the contact details for domain.
- Try to use secure websites where possible (indicated by https:// and a security “lock” icon).
- Never use public, unsecured Wi-Fi for banking, shopping or entering personal information online – is convenience more important than security and safety? When in doubt, use your mobile’s 3/4G or LTE connection.
- Be careful of software downloads: free screensavers, email attachments from people you do not know etc.
- Note that Phishers, scammers and hackers may collect and build up your data over a long period of time, using different means.
- Check bank and card statements regularly and query any transactions you do not recognise – banks are able to reverse fraudulent transactions (no jokes about the Royal Commission, please…).
- if your bank statements are late, they may have been diverted – so contact the bank in case you have been attacked.
Good luck!
4. Protect yourself against viruses, spyware and other malware
An important weapon in your armoury against Phishing, viruses, spyware and other malware (malicious software) such as worms, and Trojan horses is the use of a strong, good quality, trusted security software suite.
This includes protecting your younger family members with Parental Controls.
There are plenty of free and paid for suites available – so you have no excuse not to protect you and your family today!
It is extremely important to keep all of your software – Operating Systems and applications up-to-date, including your anti-virus definitions.
7 of the Best Internet Security Software Suites in 2019
I have used the Norton Internet Security suite for decades – I had a brief fling with AVG when Norton started to slow my machine down, but I soon went back to Symantec because I preferred it. A rebuild of my machine helped the performance issues.
In no particular order, here are 7 that I would consider if I were looking again today – there are plenty of others to choose from as well:
- Norton from Symantec Website: https://au.norton.com/
- McAfee Website: https://www.mcafee.com/en-au/
- Kapersky Website: https://www.kaspersky.com.au/
- AVG Website: https://www.avg.com/en-au/
- BitDefender Website: https://www.bitdefender.com.au/
- Trend Micro Website: https://shop.trendmicro.com.au/
- Webroot Website: https://www.webroot.com/au/
These software companies offer various free software (or free trials in some cases), and have packages for individuals, families, small businesses and large enterprises, to suit your particular circumstances, as budget.
Talk to friends and family to find out what they are using to protect themselves, and what their experience is with particular software.
In case you are not yet scared for the safety of you and your family, look at some of the numbers below to open your eyes to the risks you face online.
27 well-known websites that have been compromised
From the list of 340 compromised websites (and 6,474,028,664 compromised accounts) listed on HIBP at the end of January 2019, the following table shows just 27 of the better known websites:
I am Dean Carlton from Global Village Transformations. If you would like to discuss opportunities for transformation within your business, please feel free to contact me on 0498 751 460 or at [email protected].