In the past 24 hours many media outlets have reported on how a Russian organized crime syndicate has accumulated over one billion user credentials (usernames, emails, passwords). While this is concerning, it is important to note that this was not the result of one particular breach and was accomplished over time with persistence by this organized criminal organization.
This organization was able to accumulate this information by compromising websites with weak coding practices and unpatched security vulnerabilities. By exploiting these weaknesses, they were able to access the websites’ backend databases that hold user credentials. They also accomplished this by sending emails to users with links to websites that were designed to infect computers with malware to capture keystrokes and credentials.
While this news is still developing, it is not a reason to panic, but it is a great reason to revisit secure computing practices. Some of those are:
• Do not use the same password for all your online accounts.
• Do not share your password with others and do not write it down. If you can you should store the password securely using a password manager. A free, commonly-used password manager that stores them in an encrypted database is PasswordSafe. http://passwordsafe.sourceforge.net/
• Use strong passwords. Strong passwords meet the following requirements: 8 characters in length containing an upper case, lower case character and either a number of special character (e.g., #@$%^). The longer the password, the more difficult it is to crack. In addition, do not use any dictionary words or personal information (e.g., first name, child’s name, pet’s name [if your Facebook friends know it, don’t use it!) in your password.
• Do not use public computers, such as those in libraries or hotels, to log on to your financial institutions or other websites housing personal sensitive information.
• Be wary of emails with links unless you trust the source. The links can often take you to a website that will load malware on your computing device.
• Also be on the lookout for phishing emails designed to lure you into revealing personal information that can be used to compromise your accounts. Emails asking for the following are likely phishing emails and should be deleted:
o We need to verify your account information.
o If you don’t respond immediately, your account will be cancelled.
o Click the link below to update your information.
[…] is some question as to whether the report is legit, a member of our TDS Security Team wrote up a great blog with tips for staying […]