1.2 billion stolen password

1,2 billion passwords stolen, but does it affect me?

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit.

First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important.

Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice.

  1. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters.
  2. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords?
  3. Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all.
  4. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites.
  5. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too.
  6. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples.

So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no.

But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember.

Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key.

But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens!

If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.

 

Safe surfing,
Micke

 

More posts from this topic

F-Secure shares tips to protect your data on Data Privacy Day

It’s Data Privacy Day, and Companies Know More About You Than Ever

Nowadays companies know more about you than ever. But do you know what they’re doing with all your data? Today's Data Privacy Day, and at F-Secure we usually talk a lot about defending your personal data from online criminals: the likes of hackers, scammers and WiFi snoops. But today we'd like to talk a little about how your privacy can be invaded completely legally - by private businesses who collect your data, and how you can protect yourself. We give companies unprecedented access to our personal info and shopping habits. We give knowingly, such as when we fill out a website form. We also give in ways we may not be aware of, in the case of online advertisers who track our clicks around the web and gain insight into our interests and preferences. These advertisers are building up detailed, extensive profiles about us so they can target us with online ads we'll be more likely to click on. The apps we install garner even more of our information. Not to mention what we give to social networks and our email providers. The result: a mass of digital data is spread around about each of us that's super difficult to control. An Adroit Digital study found that 58% of respondents aren't comfortable with the amount of information they have to give to get special offers or services from retailers, and 82% are uncomfortable with the amount of information online advertisers have about them. And according to a survey by SAS, more than 69% of respondents agree that recent news events have increased their concerns about their data in the hands of businesses. News events like all-too-common data breaches, no doubt. But there's also a skepticism of what businesses and organizations may do with the data they are entrusted with. Last week, for example, Americans were shocked to learn that their government’s healthcare website had been quietly funneling consumers’ personal details along to advertising and analytics companies. At F-Secure, we've always been extremely conscious about the responsibility we have to respect the privacy of our customers' data and content. We recently put our core privacy principles into a structured form and shared them with the world - and Micke delved into them in a recent 3-part series. We also are passionate about helping you protect your own privacy - which is why we've created privacy-centered products like Freedome, which keeps online advertisers out of your business by blocking tracking. At the very least, we hope to inspire you to be, if not already, a little more aware of your data trail. So in celebration of Data Privacy Day, here are a few tips for helping you keep from spreading your data too far: 6 Tips for Defending Your Personal Data Check before committing. If your relationship with a business means you’ll be giving up a lot of data to them, check for a privacy policy or principles that outline how they use customer data Choose privacy. Turn on Private or Incognito mode in your web browser so that websites can’t use cookies to identify you Check your settings. Use this handy list to check your privacy settings on all the most popular sites, from ecommerce to social media and more. Provided by the folks behind Data Privacy Day. Search carefree. Use F-Secure Search, our free search engine that makes sure your search history is not stored anywhere or linked to you Get informed. Use F-Secure App Permissions, our free app that lets you know what information you’re giving up to the apps you’ve installed on your phone Keep advertisers at arms' length. Use F-Secure Freedome, our privacy app that blocks third-party online advertisers from following you around the Web. Freedome is available for a free 14-day trial here.   Happy Data Privacy Day!   Image courtesy Philippe Teuwen, flickr.com  

Jan 28, 2015
BY 
iot

The big things at CES? Drones, privacy and The Internet of Things

F-Secure is back from CES -- where the tech world comes together in Las Vegas to preview some of the latest innovations – some which might change our lives in the coming years, others never to be seen or heard again. Inside the over 200,000 square meter exhibit space, Drones flew, and made a fashion statement; hearing aids got smartphone apps; and 3-D printers printed chocolate. We made a stir of our own with Freedome. Our David Perry reminded the industry professionals that the mobile devices nearly all of them were carrying can do more than connect us. "I want you to stop and think about this," he told RCR Wireless News as he held his smartphone up on the event floor. "This has two cameras on it. It has two microphones. It has GPS. It has my email. It has near-field detectors that can tell not only where I am but who I'm sitting close to. This is a tremendous amount of data. Every place I browse on the internet. What apps I'm running. What credit cards I have. And this phone doesn't take any steps to hide my privacy." In this post-Snowden world, where professionals are suddenly aware of how much their "meta-data" can reveal about them. Privacy also played a big role in the discussion of one the hottest topics of 2015 -- the Internet of Things (IoT). The world where nearly everything that can be plugged in -- from washing machines to light bulbs to toasters -- will be connected to the internet is coming faster than most predicted. Samsung promised every device they make will connect to the net by the end of the decade. If you think your smartphone holds a lot of private data, how about your smarthome? "If people are worried about Facebook and Google storing your data today, wait until you see what is coming with #IoT in next 2-5 years," our Ed Montgomery tweeted during the event's keynote speeches, which included a talk from US Federal Trade Commission Chairwoman Edith Ramirez that tackled privacy issues on the IoT. Newly detected attacks on home routers suggest that the data being collected in our connected appliances could end up as vulnerable to snoops and hackers as our PCs. Some fear that these privacy risks may prevent people from adopting technologies that could eventually save us time, effort and energy. At F-Secure we recognize the promise that IoT and smart homes hold and we’re excited about the coming years. But we also understand the potential threats, risks, and dangers. We feel that our job is to enable our customers to fully enjoy the benefits of IoT and that is why we’re working on new innovations that will help customers to adopt IoT and smart home solutions in a safe and controlled way. It will be an exciting journey and we invite you to learn more about our future IoT solutions in the coming months. We at F-Secure’s IoT team would like to hear from you! Are you ready to jump on the IoT? What would your dream connected home look like? Or have you perhaps already set up your smart home? What are you worried about? How could your smart home turn into a nightmare? Read the rules and post your thoughts below for your chance to win one of our favorite things -- an iPad Air 2 16 GB Wi-Fi. [Image by One Tech News | via Flickr]

Jan 21, 2015
dune_tracks

You’re Being Tracked Wherever You Go – Here’s How to Fight Back From Your PC!

You're searching online for a baby gift for a friend's newborn, and then for a while you're followed by diaper ads on practically every site you visit. Ever notice something like that happening to you? Yes, the web can be an eerie place. Intelligence agencies and criminals aren’t the only people who may be tracking your online behavior - there’s a lot more to your browsing session than meets the eye. Take, for example, this F-Secure Labs study that found that of the 100 most popular URLs in the world, only 15 percent are actually accessed by real people. The other 85 percent are third-party sites that are accessed behind the scenes of your browsing session, by the sites you visit. And over half of these third-party sites are tracking-related. They are helping build up an online profile of you and your browsing habits. Why? So marketers can better target you with ads that meet your interests and preferences - or at least try to, in the case of the diaper ads. How does it work? When you visit a site with ads, you'll be tracked by the marketing company behind the ads on that site. And one marketing company may be working with a huge network of other websites. So whenever you visit another site that also has a relationship with that marketer, the marketer captures more and more data about you and your online behavior. All this data goes into an extensive profile that is being built up about you. If that sounds a little creepy, rest assured that you can regain control of your digital privacy. There’s an easy way to block advertisers from tracking you everywhere you go. Last year we launched F-Secure Freedome to stop tracking on your mobile device (to date, Freedome has already blocked over 900 million tracking attempts globally). And now there's good news - today we're unveiling Freedome for your Windows PC! Freedome for Windows has the same privacy features as the mobile versions, protecting you from trackers and hackers. It's got the same VPN technology to protect your browsing session from snoops while using public Wi-Fi. In addition, it also includes a new Private Search feature that offers tools so you can get your search engine results without the tracking. Since the Snowden revelations, we as consumers have become more and more aware that we may be revealing the most intimate details of our lives through our connected devices. According to a recent study by the Pew Research Center Internet Project, 91% of adults in the survey agree that consumers have lost control over how personal information is collected and used by companies. If you're concerned too, download a free 14-day trial of Freedome for your Windows PC. And let us know what you think!   Banner image courtesy of Filip Goc, flickr.com  

Jan 21, 2015
BY