1.2 billion stolen password

1,2 billion passwords stolen, but does it affect me?

You have heard the news. Russian hackers have managed to collect a pile of no less than 1,2 billion stolen user IDs and passwords from approximately 420 000 different sites. That’s a lot of passwords and your own could very well be among them. But what’s really going on here? Why is this a risk for me and what should I do? Read on, let’s try to open this up a bit.

First of all. There are intrusions in web systems every day and passwords get stolen. Stolen passwords are traded on the underground market and misused for many different purposes. This is nothing new. The real news here is just the size of the issue. The Russian hacker gang has used powerful scripts to harvest the Internet for vulnerable systems and automatically hacked them, ending up with this exceptionally large number of stolen passwords. But it is still good that people write and talk about this, it’s an excellent reminder of why your personal passwords habits are important.

Let’s first walk you through how it can go wrong for an ordinary Internet user. Let’s call her Alice.

  1. Alice signs up for a mail account at Google. She’s lucky, alice@gmail.com is free. She’s aware of the basic requirements for good passwords and selects one with upper- and lowercase letters, digits and some special characters.
  2. Alice is quite active on the net and uses Facebook as well as many smaller sites and discussion forums. Many of them accepts alice@gmail.com as the user ID. And it’s very logical to also use the same password, it sort of belongs together with that mail address and who wants to remember many passwords?
  3. Now the evil hackers enter the scene and starts scanning the net for weak systems. Gmail is protected properly and withstands the attacks. But many smaller organizations have sites maintained on a hobby basis, and lack the skills and resources to really harden the site. One of these sites belongs to a football club where Alice is active. The hackers get access to this site’s user database and downloads it all. Now they know the password for alice@gmail.com on that site. Big deal, you might think. The hackers know what games Alice will play in, no real harm done. But wait, that’s not all.
  4. It’s obvious that alice@gmail.com is a Gmail user, so the hackers try her password on gmail.com. Bingo. They have her email, as well as all other data she keeps on the Google sites.
  5. They also scan through a large number of other popular internet sites, including Facebook. Bingo again. Now the hackers have Alice’s Facebook account and probably a couple of other sites too.
  6. Now the hackers starts to use their catch. They can harvest Alice’s accounts for information, mail conversations, other’s contact info and e-mails, documents, credit card numbers, you name it. They can also use her accounts and identity to send spam or do imposter scams, just to list some examples.

So what’s the moral of the story? Alice used a good password but it didn’t protect her in this case. Her error was to reuse the password on many sites. The big sites usually have at least a decent level of security. But if you use the same password on many sites, its level of protection is the same as the weakest site where it has been used. That’s why reusing your main mail password, especially on small shady sites, is a huge no-no.

But it is really inconvenient to use multiple strong passwords, you might be thinking right now. Well, that’s not really the case. You can have multiple passwords if you are systematic and use the right tools. Make up a system where there is a constant part in every password. This part should be strong and contain upper- and lowercase characters, digits and special characters. Then add a shorter variable part for every site. This will keep the passwords different and still be fairly easy to remember.

Still worried about your memory? Don’t worry, we have a handy tool for you. The password manager F-Secure Key.

But what about the initial question? Does this attack by the Russian hackers affect me? What should I do? We don’t know who’s affected as we don’t know (at the time of writing) which sites have been affected. But the number of stolen passwords is big so there is a real risk that you are among them. Anyway, if you recognize yourself in the story about Alice, then it is a good idea to start changing your passwords right away. You might not be among the victims of these Russian hackers, but you will for sure be a victim sooner or later. Secure your digital identities before it happens!

If you on the other hand already have a good system with different passwords on all your sites, then there’s no reason to panic. It’s probably not worth the effort to start changing them all before we know which systems were affected. But if the list of these 420 000 sites becomes public, and you are a user of any of these sites, then it’s important to change your password on that site.

 

Safe surfing,
Micke

 

More posts from this topic

erka iAmA

Ask Erka Koivunen anything for #CyberSecMonth

European Cyber Security Month (or National Cyber Security Awareness Month as it’s known in the US) is just around the corner. And considering the recent disclosure of Yahoo’s massive data breach, it seems like a good time for companies to give some consideration to their cyber security policies. One person glad to see it arrive is F-Secure Cyber Security Advisor Erka Koivunen. Erka, who’s advised people, companies, and even governments on how to protect themselves from online threats for years, wants to let people know that security is more than relying on the latest technologies or devices for protection. It’s just as much about processes and practices as it is about technology. That’s why Erka is participating in an “Ask me Anything” session on Reddit called “How to Create a Culture of Security.” Erka will answer your questions about what you, your colleagues, and your boss need to know about being hacked. Plus, Erka will be joined by Cosmin Ciobanu from the European Union Agency for Network and Information Security (better known as ENISA, the organized of European Cyber Security Month) to provide some additional insights on how to improve security in workplaces around Europe. This will be Erka’s second AMA, having previously fielded a range of questions about online privacy in an AMA conducted last Data Privacy Day. The AMA session will kick-off at 8 AM EST/3 PM EET on October 4th. We’ll update this blog post with the link as soon as it’s available, so check back here so you don’t miss out.

September 30, 2016
BY 
Connected

Wherever You’re Connected, You Should Be Protected

Protecting yourself on the internet used to be a lot simpler -- mostly because you weren't always on the internet. Now we can be online from when we wake up until when we go to sleep. We seamlessly shift from chatting to shopping to banking -- rarely sticking to one device or platform for too long. Most of us aren't just a Mac or PC or an Android anymore -- we're all of the above. “I, and I think most people, have a cross-platform household – I use several different devices with different operating systems on a daily basis," F-Secure security advisor Sean Sullivan explains. The old paradigm of just protecting your PC or your phone can leave your devices exposed to threats. And even the best security software in the world won't protect your public Wi-Fi connection from being snooped on, possibly exposing your most private details, including passwords. That's why we've launched F-Secure total security and privacy, which combines F-Secure SAFE and F-Secure Freedome. F-Secure SAFE is a multi-device internet security suite that protects all your devices. Freedome is a VPN offers a simple way to encrypt your communications over public Wi-Fi and change your virtual location to access geo-blocked sites and services while blocking malicious websites and online tracking. You can still purchase F-Secure SAFE and Freedome separately. And there have been recent improvements to both, including: Silent upgrades that ensure SAFE is automatically updated Parental controls now available on all supported SAFE platforms Ability to create Freedome Wi-Fi hotspots with Android devices while VPN is turned on "Buying separate products to protect iOS, Windows, Macs and whatever else isn’t just expensive, but it means you have to get used to different pieces of software designed to do the same thing," Sean explains. F-Secure total security and privacy is now available for a free trial here. If you're a current SAFE customer, you can't upgrade to total security and privacy but you should receive a discount offer for Freedome. "Bundling protective measures into packages to run on different devices is more economical and more user friendly, both of which are good for security.” Cheers, Sandra [Image by Hans Kylberg | Flickr]  

September 27, 2016
yahoo

What You Need to Know About the Yahoo Hack

Reports that half a billion Yahoo accounts were hacked in 2014 "by a state-sponsored actor" were confirmed today by the tech giant. This hack of "names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions" is the largest in the company's history and one of the most consequential breaches of all time. Our security advisor Sean Sullivan told CNN what Yahoo users need to know right now: [youtube https://www.youtube.com/watch?v=kO-70yKF4bE] He also gave a longer interview to Data Breach Today about the wider implications of the hack. The most important takeaway from this attack is you should always use an extra layer of protection -- in this case Yahoo's two-factor authentication on all your accounts -- and never reuse any important password. Even though Yahoo's passwords stored your passwords with encryption, it's still possible for criminals to get access to them, especially if they are weak. A former Yahoo employee told Reuters that the answers to security questions were deliberately left unencrypted to help catch fake accounts more easily because fake accounts that used the same answers over and over. Sean always uses nonsense answers for so-called security questions so they aren't guessable by anyone who knows him or follows him on social media. He recommends you do the same. So what should you do now? Sean recommends you "walk, not run" to your Yahoo account to disable your security questions and change your password -- and change them on any other site where you've used them to something unique. Make sure you create non-human passwords -- not patterns like yahoo1985. Make them long and difficult to remember. If they're between 20 and 32 characters, they are nearly uncrackable, as our senior researcher Jarno Niemelä recommends. And to deal with all that complexity, use a password manager like our F-Secure KEY, which is free on one device. You can also store your nonsense answers to your security questions in there. Then turn on two-factor authentication, if you haven't already. If you're wondering who might have carried out such a massive attack, Sean does have a hypothesis. [Image by Christian Barmala | Flickr]

September 23, 2016
BY