Sign up to our newsletter
The latest security news direct to your inbox
When Adobe admitted this week that 38 million of its users may have had their ID and passwords leaked, it was not the first big site to break this sort of news to its users.
Sony, Evernote, LinkedIn – there are dozens of companies which have fallen victim to hackers over the past few years, leaking everything from credit card details to email addresses, and often affecting millions or tens of millions.
What should you do when it happens? You’ll often – but not always – get an email from the company explaining what’s happening, and what to do.
But the advice you’re offered by the company might be the bare minimum you can do to stay safe – and our tips offer a few extra safeguards.
It’s worth checking company sites in the event of any breach – you’ll often find more detail there, and advice on specific risks. Even company Twitter feeds can help. Adobe, for instance, offers some good advice for its users here.
Don’t always believe what they tell you
In the first few hours after a major breach, the company itself may not be aware of the extent of the attack – and may be attempting to “manage” the crisis. ESET Senior Research Fellow David Harley says, “Often, there isn’t much you can do when a major company screws up. And in fact, it’s not unknown for a company to try to gloss over the breach by not notifying individual users unless they know that they’re likely to be affected. (Local legislation has a lot of influence here: where there is legislation forcing disclosure, it may depend on how much wiggle room is left.)
Been “reassured” by email? Stay alert
In many breaches, the news is not announced via company sites or Twitter feeds – it’s first sent as an email to users. But breaches can turn out to be far worse than they appear – to take Adobe’s example, it initially seemed that “only” three million users were affected. Take as many precautions as you can, regardless of what the email says (see our advice on passwords below). Harley says, “If a company does notify you individually, it’s as well to take it seriously and consider carefully whatever advice they give you. However, it’s as well to bear in mind that such notifications may play down the threat for PR reasons, and in any case the company’s understanding of the security implications may be incomplete.”
The word “encrypted” doesn’t always mean you’re safe – nor does a strong password
When hackers break into a company and leak huge amounts of encrypted IDs and passwords, companies often trumpet the fact that the data was “encrypted” – but there are different levels of encryption, and once leaked, cybercriminals will use specialised software to extract passwords. Once the data is out there, criminals have months to use cracking software on the encrypted data – and if they are determined, and lucky, they’ll break in, no matter how strong a password you use. That means it’s doubly important to change passwords if they are reused elsewhere. If you have used a weak password, though, it will be easier for criminals to “crack” yours. A We Live Security guide to creating a stronger password is here.
Phish alert! Be very, very careful about emails from the company
When a breach occurs, the company may well email you – but be wary, cybercriminals will see this as an opportunity, too. Harley says, “Bear in mind that it’s not unknown for scammers to use breaches like this as a starting point for fake alerts used for phishing purposes. If you get an alert that contains links that require you to enter your password so that you can change it, or to access further information, treat it as suspicious. Rather than follow the link, go to a page you know is genuine and drill down from there.”
Don’t just change one password
Once a big breach has hit the news, most users change their passwords – or are forced to. But the criminals may target email services with the passwords – so it’s a good idea to have a clean sweep of online services you use, such as email, social networking and storage sites such as Dropbox. Harley says, “Where your login credentials have been revealed, it’s obviously a good idea to change your password, and in fact the compromised site may force you to do so. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”
Don’t set yourself up for a fall
Internet users get asked for passwords dozens of times a week – so it’s only natural passwords DO get reused. Harley advises that one approach is to save your “good” email and strong passwords for the sites that matter, “Some people use a different username and standard ‘throwaway’ password on sites that don’t really matter and that they’re unlikely ever to visit again. If you do this, be sure that you use something individual and harder to crack on sites that do matter, or might in the future.”
Author Rob Waugh, We Live Security