Just received an alert email from Credit Karma ID Monitoring and it is alarming:
Alert email from Credit Karma
Weak passwords encryption, stolen encryption keys, hacked staff accounts are just a few reasons why your account credentials may be exposed, and it can lead to annoying consequences.
Two years ago, I once saw $990 charge to my eBay account for a purchase that I didn’t make, and it traced all the way to someone in New Jersey, US. Needless to say, I enabled 2FA on eBay and requested eBay to alert me whenever a transaction is made.
Here is a short list of some alarming breaches:
Combolist of 1.4B credentials
- This breach isn’t from one site — it’s a combolist. Basically, someone put together info from individual data breaches and then shared that combined list publicly or on the dark web. Criminals use passwords from combolists to try to gain access to your other accounts. That’s why you should never re-use passwords, especially in places with sensitive personal or financial info (like your banking app, health insurance site, tax software, email account, etc.).
- At an unconfirmed date, JobStreet’s candidate user database was allegedly breached. The stolen data contains 15,900,000 records including email addresses, passwords, and full names. In October 2017, the data was shared publicly on a few hacker sites and forums.
- In February 2014, Kickstarter’s database was allegedly breached. The stolen data contains usernames, passwords, and email addresses. This breach is being publicly shared on the internet.
- In May of 2016, Tumblr revealed that it had discovered a 2013 breach of user email addresses and passwords. A hacker known as Peace was selling it on the darknet marketplace The Real Deal.
- In 2012, LinkedIn was the victim of an unauthorized breach of some members’ passwords. A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian crime forum. Four years later, a Russian hacker Peace, was selling 117 million email and password combinations from that breach on a dark web marketplace. The leaked passwords were encrypted (with the SHA-1 hashing function), but lacked the salting security feature. Presumably, LinkedIn began salting their passwords after the 2012 incident.
- Back in 2012, cloud storage company Dropbox suffered a major data breach when hackers used stolen employee login credentials to access a project document containing user email addresses and passwords. It wasn’t until August 2016 that it was confirmed that over 68 million user credentials were affected by the 2012 breach.
Prevention & protection
Don’t wait until too late – because prevention is always better than cure. As such, here are 7 tips to stay on top of your identity security:
- Tip #1: Do not use a short or simple password: A passphrase is much stronger and easier to memorize. No more 8-character password please.
- Tip #2: Installed protection tools: install antivirus program Avast, AVG, Kaspersky all offer such browser extensions) to avoid phishing and scamming.
- Tip #3: Do not reuse passwords across sites: use a password manager (LastPass, Roboform, 1Password) to keep your passwords safe.
- Tip #4: Enable 2-factor authentication (SMS, token generator) if it is available.
- Tip #5: Change your passwords regularly (within 90 days or less).
- Tip #6: Sign up for online ID protection services: they totally worth it if you care about your online credentials.
- Tip #7: Use a sandbox: If you ABSOLUTELY have to open an unknown file or program, create a virtual machine and try it inside a contained environment. Note that it is NOT 100% secure but this approach can minimize the damage, especially when you limit the access from the VM to the host.
In case such incidents happened to you (stolen credit cards, unauthorized transactions, exposed passwords), here are 3 advices that you can take:
- Advice #1 Seal the leaks: if it’s a credit card then cancel it immediately, if it’s a compromised account then change the password right away, or close that account. If it is an unauthorized transaction then alert the service provider and request for the refund.
- Advice #2 Identify the source of the leaks: do you leave your credit card unattended? Do you sign up on different site with the same passwords? Do you share access with someone else and that person is compromised?
- Advice #3 Stay up-to-date: Keep your systems such as PCs, laptops, mobile phones, network devices up-to-date to to fix any day-zero exploits or unpublished loopholes. I once found out that my primary router is password-protected but my secondary router is still using the outdated firmware which is vulnerable to a DDOS and remote execution attacks.
Most importantly, use your first principle thinking – if it’s too good to be true, then it must not be true. If it’s too simple, then it’ll be easy to be attacked.
1. Credit Karma ID Monitoring: https://www.creditkarma.com/id-monitoring/search
2. Top 10 Application Security Risks – 2017: Top 10 OWASP: https://www.owasp.org/index.php/Top_10-2017_Top_10