1.2 billion stolen password

1,2 billion passwords stolen, but does it affect me?

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit.

First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important.

Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice.

  1. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters.
  2. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords?
  3. Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all.
  4. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites.
  5. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too.
  6. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples.

So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no.

But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember.

Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key.

But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens!

If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.


Safe surfing,


More posts from this topic

Two-factor Authentication

POLL: Do you use two-factor authentication?

October is National Cyber Security Awareness Month in the US, and European Cyber Security Month in Europe. Basically, institutions in these two countries have decided that it’s time for people to get serious about cybersecurity. And they’re right to do it – according to F-Secure’s Business Security Insider blog, there was 81 cyberattacks every minute in 2014. So hacking is a serious business for these attackers. And one security measure that experts would like to see used more widely is two-factor authentication. [polldaddy poll=9124837]   Two-factor (or multi-factor) authentication refers to using more than one piece of information to safeguard access to accounts. Many popular services, such as Facebook and Twitter, offer it to users. However, very few services require it. It’s really more of an option for people interested in having a little bit of extra security for their accounts. A recent survey from Google points out that 89 percent of security experts use two-factor authentication for at least one of their online accounts. But it’s less popular amongst non-experts. Only 62 percent of non-expert respondents to Google’s survey used two-factor authentication. Other studies indicate that two-factor authentication may be even less popular, with one recent consumer survey finding that 56 percent of respondents were unfamiliar with two-factor authentication. Although two-factor authentication has been around for ages, it’s starting to become offered by many online services. Passwords are currently the standard in account security, but adding in two-factor authentication adds an extra layer of security. It basically means anyone that gets access to your password will essentially only have “half a key” to your account. So why don’t more people use it? After all, nearly 80 percent of people are open to alternatives to traditional passwords. One reason might be that it’s too difficult or inconvenient. But the widespread use of mobile devices is making this much easier. Email and SMS messages seem to be easiest and the most popular, with one study finding almost 90 percent of participants using two-factor authentication did so by receiving a code through SMS or email, which they could then enter into a website to confirm their identity. Another reason could be availability. It’s up to companies and organizations providing online accounts to offer two-factor authentication to customers. This website provides a pretty good list of different online services offering two-factor authentication, so it’s a pretty handy resource. You can also use the site to send tweets to companies not offering two-factor authentication (so don’t hesitate to send a message if you want someone providing you with a service to improve their account security features). If you crunch the numbers provided by the site, you can get an idea about how common two-factor authentication is for different kinds of services: Cryptocurrencies: 96% Identity Management: 93% Cloud Computing: 77% Gaming: 69% Hosting/VPS: 69% Email: 65% Domains: 65% Developers: 63% Communication: 62% Backup and Sync Services: 60% Investing: 38% Banking and Financial Services: 35% Health: 30% Finance: 28% Education: 25% Entertainment: 7% So two-factor authentication is definitely more prominent in some industries than others. F-Secure Security Advisor Sean Sullivan says that it’s definitely worth choosing services offering two-factor authentication, especially for important accounts that you use daily, or contain really sensitive information. “You should figure out what accounts are critical and focus on securing those by using strong, unique passwords and two-factor authentication,” he says. “Lots of companies will offer a monthly or periodic two-factor authentication check, which requires you to enter a code you receive via SMS into a pre-defined phone or computer. It’s really worth having a primary email account with one of these services, as you can centralize information there instead of spreading it around, which makes it easier to stay in control of your accounts.” Next time you’re thinking about setting up an online account somewhere, you may want to circle back to whether or not they offer two-factor authentication. With the number of devices expected to explode as the Internet of Things becomes more and more popular, it only makes sense to consider whether you’re information is as secure as you’d like. [ Image by momentcaptured1 | Flickr ]

October 13, 2015
safe harbor, U.S privacy, European privacy

The ‘Safe Harbor’ ruling divides the ‘old world’ and ‘new world’

This week's ruling by the European Court of Justice striking down the 2000 "Safe harbor" agreement between the European Union and and the United States was celebrated as vindication by privacy activists, who saw the decision as a first major international consequence of the Snowden revelations detailing the extraordinary extent of mass surveillance being conducted by the U.S. and its allies. "The safe harbor agreement allowed U.S. companies to self-certify they abided by EU-strength data protection standards," Politico's David Meyer reported. "This gave them a relatively simple mechanism to start legally handling Europeans’ personal data." That simple mechanism did not abide by the Commissions own privacy standards, the Court decided. "The court, by declaring invalid the safe harbor which currently permits a sizeable amount of the commercial movement of personal data between the EU and the U.S., has signaled that PRISM and other government surveillance undermine the privacy rights that regulates such movements under European law," the EFF's Danny O'Brien wrote. A new Safe Harbor agreement is currently being negotiated and the Court's ruling seems designed to speed that up. But for now many companies -- especially smaller companies -- and users are now in a sort of a legal limbo. And that legal limbo may not be great news for your privacy, according to F-Secure Security Advisor Sean Sullivan, as it creates legal uncertainty that could easily be exploited by government spy agencies and law enforcement. "Uncertainty is their bread and butter," he told me. To Sean, this ruling and the urge to break the old agreement without a new one yet in place represent an "old world" view of the Internet where geography was key. The U.S. government has suggested that it doesn't need to respect borders when it comes to companies like Microsoft, Facebook and Google, which are headquartered in the U.S. but do business around the world. Last month, the Department of Justice said it could demand Microsoft turn over Hotmail data of any user, regardless where s/he lives. "The cloud doesn’t have any borders," Sean said. "Where stuff is located geographically is kind of quaint." You can test this out by using an app like Citizen Ex that tests your "Algorithmic Citizenship." Sean, an American who lives in Finland, is identified as an American online -- as much of the world would be. What Europe gave up in privacy with Safe Harbor was, to some, made up for in creating a cohesive marketplace that made it easier for businesses to prosper. Facebook and Google warned that the U.S.'s aggressive surveillance risked "breaking the Internet." This ruling could be the first crack in that break. Avoiding a larger crackup requires a "new world" view of the Internet that respects privacy regardless of geography, according to Sean. He's hopeful that reform comes quickly and democratically in a way that doesn't require courts to force politicians' hands. The U.S. showed some willingness to reform is surveillance state when it passed the USA FREEDOM Act -- the first new limitations on intelligence gathering since 9/11. But more needs to be done, says the EFF. The digital rights organization is calling for "reforming Section 702 of the Foreign Intelligence Surveillance Amendments Act, and re-formulating Executive Order 12333." Without these reforms, it's possible that any new agreement that's reached between the U.S. and Europe might not reach the standards now reaffirmed by the European Court of Justice.

October 9, 2015

Is protection against self-incrimination dead in the digital era? (Poll)

How to balance between privacy and crime fighting? That’s one of the big questions now when we are entering the digitally connected era. Our western democracies have a set of well-established and widely accepted rules that control what authorities can and can’t do. One aspect of this has been in the headlines lately. That’s your right to “plead the Fifth”, as the Americans say. Laws are different in every country, but most have something similar to USA’s Fifth Amendment. The beef is that “No person … shall be compelled in any criminal case to be a witness against himself,…”. Or as often expressed in popular culture: “You have the right to remain silent.” With more fancy words, protection against self-incrimination. What this means in practice is that no one can force you to reveal information if authorities are suspecting you of a crime. You have the right to defend yourself, and refusal to disclose information is a legal defense tactic. But the police can search your home and vehicles for items, if they have the proper warrant, and there’s nothing you can do to stop that. In short, the Fifth Amendment protects what you know but not what you have. Sounds fair. But the problem is that there was no information technology when these fundamental principles were formed back in 1789. The makers of the Fifth Amendment, and similar laws in other countries, could not foresee that “what you know” will expand far beyond our own brains. Our mobile gadgets, social media and cloud services can in the worst case store a very comprehensive picture of how we think, whom we have communicated with, where we have been and what we have done. All this is stored in devices, and thus available to the police even if we exercise our right to remain silent. Where were you last Thursday at 10 PM? Do you know Mr John Doe? What's the nature of your relationship with Ms Jane Doe? Have you purchased any chemicals lately? Do you own a gun? Have you traveled to Boston during the last month? Have you ever communicated with mohammad@isis.org? These are all questions that an investigator could ask you. And all may still be answered by data in your devices and clouds even if you exercise your right to remain silent. So has the Fifth Amendment lost its meaning? Would the original makers of the amendment accept this situation, or would they make an amendment to the amendment? The situation is pretty clear for social media and cloud storage. This data is stored in some service provider’s data center. The police can obtain a warrant and then get your data without any help from you.(* Same thing with computers they take from your home. The common interpretation is that this isn’t covered by the Fifth Amendment. But what if you stored encrypted files on the servers? Or you use a device that encrypts its local storage (modern Androids and iPhones belong to this category). The police will in these cases need the password. This is something you know, which makes it protected. This is a problem for the police and countries have varying legislation to address the problem. UK takes an aggressive approach and makes it a crime to refuse revealing passwords. Memorized passwords are however protected in US, which was demonstrated in a recent case. Biometric authentication is yet another twist. Imagine that you use your fingerprint to unlock your mobile device. Yes, it’s convenient. But it may at the same time reduce your Fifth Amendment protection significantly. Your fingerprint is what you are, not what you know. There are cases in the US where judges have ruled that forcing a suspect to unlock a device with a fingerprint isn’t in conflict with the constitution. But we haven’t heard the Supreme Court’s ruling on this issue yet. So the Fifth Amendment, and equal laws in other countries, is usually interpreted so that it only protects information stored in your brain. But this definition is quickly becoming outdated and very limited. This is a significant ethical question. Should we let the Fifth Amendment deteriorate and give crime fighting higher priority? Or should we accept that our personal memory expands beyond what we have in our heads? Our personal gadgets do no doubt contain a lot of such information that the makers of Fifth Amendment wanted to protect. If I have the right to withhold a piece of information stored in my head, why should I not have the right to withhold the same information stored elsewhere? Is there really a fundamental difference that justifies treating these two storage types differently? These are big questions where different interests conflict, and there are no perfect solutions. So I pass the question to you. What do you think? [polldaddy poll=9102679]   Safe surfing, Micke   Image by OhLizz   (* It is this simple if the police, the suspect and the service provider all are in the same country. But it can get very complicated in other cases. Let's not go there now as that would be beside the point of this post.  

September 30, 2015