[BREACH] Be Careful Of Password Resets

Category: Security

Netflix and Facebook (and possibly other sites) began resetting the passwords of certain users recently. The affected users were locked out of their accounts; essentially, they found that the lock on the door had been changed and their key no longer fit it. Here's what's happening, why, and the steps you may need to take as a result…

Was Your Password Reset?

To start with, neither Netflix nor Facebook were hacked. These two companies (and probably others) have sent emails to affected customers explaining that because of a major breach at LinkedIn four years ago, their password may have been recently exposed. The message explained what had been done, why, and how to regain access to one’s account.

The reason for these password resets is simple: people are still doing dangerous things like “re-using” passwords; that is, using the same password for multiple sites. If a data thief grabs your LinkedIn credentials, then he may very well have your Netflix and Facebook credentials, too. You can bet he’s going to try your stolen credentials on every major online service, and some selected small ones (like your local bank’s portal).

Netflix and Facebook have been resetting passwords and contacting members whose online credentials have been stolen. But how do the two companies know whose credentials have been stolen, and which victims also have Netflix or Facebook accounts?

Password Reset Button

Not many years ago, hackers began posting the data they stole in the cloud, on servers open to anyone who wanted to download a copy of the data. This custom caught on as both a verification and boasting technique.

Hacker 1: “Oh, so you say you scored a billion passwords, prove it.”
Hacker 2: “Here they are!”

Yes, it is rather juvenile. Professional criminals don’t give away data that is worth money. Amateurs - many of them basement-dwelling social pariahs - have no idea how to sell big databases of user IDs, so to them it’s worth nothing but bragging rights.

The Keys to Your Kingdom

As a service to their users, companies like Facebook and Netflix buy knowledge of such publicly-available stolen data sets from firms that specialize in tracking the rise, fall, and movement of such things. Then Facebook and Netflix start comparing their databases to the stolen ones.

Wait, Netflix knows my password? Of course it does. If it didn’t, it couldn’t tell whether you entered the correct password when you tried to log in. But I thought that stuff was encrypted? It surely is encrypted; without the appropriate software key, you can’t read any user IDs. But Netflix and Facebook have the appropriate keys, obviously; they made the keys!

So these companies (and any others that wish to) can find any matches between stolen credentials and the credentials of their users. Those matches get their passwords reset and an email that politely and apologetically says, “You wouldn’t have had this inconvenience if you didn’t re-use your password!”

Affected users need only click the “forgot password” link and follow instructions to enter a new password, and regain access to the account.

And of course, if you DO get notified that your password has been exposed, you should change it not only on that site, but on ALL other sites where you used that same password.

Beware the Rogues

Every time a large company does a mass emailing to its customers, there is a sharp upswing in the number of phishing emails related to that company. Hackers reason that users are expecting email from their trusted partners, and tailor their phishing emails to mimic what the real one(s) look like.

The phishing emails often try to obtain your new password. “Click here to reset your password” will take you to the hacker’s site, although it will look comfortingly like the one you expect and trust. There, the trusted company’s password-reset procedure is carefully reproduced. Your responses to the prompts - e. g., “new username, new password, confirm new password” - are copied by the hacker before being sent on to the actual company’s password-reset pages.

The copied credentials are sent to the hacker, who can now log into your account undetected, in many cases. Many systems do not raise security flags if a user apparently logs in from two different IP addresses simultaneously. They should, but don’t hold your breath waiting.

The undetected hacker will steal whatever he can while logged in as you. He may also change your password again, along with your emergency-contact info such as email address or phone number, leaving you stuck out in the cold while he runs amok with your account.

It’s obvious that you should increase your vigilance against phishing emails every time a company with which you do business suffers a data breach. I have written many articles on the subject of “how to detect phish;” just click the link for the search results on this site. http://goo.gl/SfMsZ2

What’s not so obvious is that you need to be on guard against phishing emails that look like they’re from other companies, as well. Even if you follow good password security practice, and don’t re-use passwords, you may still receive and fall for one of these phishing emails.

Are You Smarter Than a CEO?

A data breach need not even be recent to trigger a phishing email. As I mentioned earlier, in 2012, LinkedIn suffered the theft of some 65 million members’ credentials. Just last week, a man who re-used his LinkedIn password on Pinterest and Twitter found both of those accounts hijacked using that old LinkedIn password. The hackers “defaced” his Pinterest pages and tweeted nasty things from his Twitter account.

That’s right, the dummy not only re-used the same trivial password ("dadada") on at least three different accounts, but he also hadn’t changed his passwords in four years! The dummy’s name? Mark Zuckerberg, founder and CEO of Facebook.

Bottom line, if you get an email asking you to click a link to change your password, be on the alert. Instead of clicking that link, go directly to that website with a bookmark, or by manually entering the address. Secure, unique passwords are also a must. And don't wait four years to change your password -- once every 3 to 6 months would be a better idea.

Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 8 Jun 2016


For Fun: Buy Bob a Snickers.

Prev Article:
Should Tech Giants Police “Hate Speech” Online?

The Top Twenty
Next Article:
[WARNING] Paper Checks Can Lead to Fraud

Most recent comments on "[BREACH] Be Careful Of Password Resets"

Posted by:

David Quinn
08 Jun 2016

Thank you for the info.


Posted by:

Lucy
08 Jun 2016

Once again Bob hits the mark.

At the risk of sounding naive I have never understood the need to change a good, strong, unique password every 3 to 6 months (or ever really).

But reading this excellent article, I wonder if it may be because sites could be hacked and it is not known about for some time. But if the site is hacked surely the hackers know the new password also?

so I guess I am still wondering about the logic of needing to change passwords regularly?


Posted by:

Stuart Berg
08 Jun 2016

Bob,
You have a serious typo:

"And of course, if you DO get notified that your password has been exposed, you should change it only on that site ..."

should say:

"And of course, if you DO get notified that your password has been exposed, you shouldn't change it only on that site"


Posted by:

CtPaul
08 Jun 2016

Bob's pc wrote: " you should change it only on that site, but on ALL other sites where you used that same password."

You see, PC, a spell checker is not enough! A PROOF-READER who checks the context is essential!


Posted by:

Cho
08 Jun 2016

Actually, Bob is a seasoned programmer. The way he would have correctly written the typo would have been:
"And of course, if you DO get notified that your password has been exposed, you should change it NOT only on that site ..."


Posted by:

Paul
08 Jun 2016

1. Download or subscribe to a password manager (Keepass or Lastpass for example)
2. Create a strong access code for the password managers vault
3. Create a unique different password for every site and store it in the vault


Posted by:

Rich
08 Jun 2016

All the passwords we need to keep track of.
Question: Are password managers trustworthy? What is to stop a Password Manager from letting you GIVE them that information. To really be safe one should write them all down with old fashioned pen and paper IMO. Maybe an idea for and article for you.


Posted by:

Misterfish
08 Jun 2016

Bob, that is a very useful warning, thank you. I dozens of password-protected accounts to manage (many of which I have surely forgotten about after one use) it is impossible to remember half of passwords let alone update them from time to time. Any suggestions?

I use two different types of password - special high level passwords for sensitive data (banks, email accounts, Facebook) but one simple one for all other accounts (forums and those sites which insist on registering with a password before access).

Updating passwords is usually quite regular as I frequently forget my password and have to have it reset with a new one....

Misterfish


Posted by:

Marlene
08 Jun 2016

I use a Rolodex to keep all my passwords in. It sits on top of my desk top computer. That way no one sees it in the computer files.


Posted by:

MickL
09 Jun 2016

I'm sure our collective hearts go out to Zuckerberg, boo-hoo


Posted by:

bb
09 Jun 2016

Bob wrote: "Netflix knows my password? Of course it does. If it didn’t, it couldn’t tell whether you entered the correct password when you tried to log in" is not correct if Netflix's security is done right. Specifically, that means they store a salted hash, not the user’s actual password. And the difference, as they say, is yuge.
To explain that, the user’s password itself must never be *stored* as is – thus the site cannot tell you your password, so it can’t be said that they 'know' your password. (This is not an encrypted database; each individual password needs to be separately and individually encrypted.) When a password is entered by someone wanting to login, the site 'hashes' the input and compares the newly computed hash with the stored hash. If they match, then that was the correct password. The key is, given a hash, the mathematics dictate the hash cannot be undone to reveal the original password. (In mathematical terms hashing is considered a one-way function.)
So one may think that storing the password hash is sufficient. No! 1) Hash functions are well known, and an attacker will pre-compute the hash of all common passwords. If a stolen password file has any of those pre-computed hashes, bingo, they’re in. And 2) if the same hash is used for all users, then the attacker looks for identical hashes and then knows all those people used the same password. Thus all password hashes must also be individually 'salted' – something added to the password that is different for each user.
Security is hard, and there are many more ways to get it wrong than right. As Yogi Berra supposedly put it, "In theory, theory and practice are the same; in practice, they’re not."


Posted by:

Al Jankowski
09 Jun 2016

The list I made of most of the sites I log onto runs to 3 pages. Perhaps I am a moron compared to th4e rest of your posters, but I literally cannot create unique strong passwords for each of those sites, change them every 3 months, and remember them. I love the Rolodex solution. However my computer is a laptop. The Rolodex is an awkward thing to pack with my laptop and assorted other things I carry with it. Besides, there is a real risk of it being lost or stolen while I am about. A password manager seems like a good idea. However I am nervous about relying only on that. Software has been known to have bugs, or be hacked, or ...


Posted by:

Mac
09 Jun 2016

So what does American Express know, or do, that most everyone else doesn't? I have a simple password I have used for many years for my AMEX account access. AMEX has never suggested, or requested, I change my password! If changing passwords regularly is so all fired important, then why doesn't AMEX ask it be done? They ain't a bunch of dummies, I'm sure!


Posted by:

Citellus
09 Jun 2016

I keep my passwords on a flash drive that only goes into the computer when I need one that I cannot remember, and it is immediately removed when I have found the password.


Posted by:

RandiO
09 Jun 2016

The number of LinkedIn users' breached email addresses and passwords (hashed or otherwise) is now being said to be over 117Million total.
When a user thinks of the potential devastating effects of this particular LinkedIn breach; one must keep in mind that LinkedIn is where ALL of your life's personal data resides. From, full name, physical/email address, phone#, schooling, age, your whole professional career, etc.
I think that the old adage about "putting all your eggs in one basket" proves itself correct again. But I bet not too many LinkedIn users thought of the potential for this most severe personal information hack attack when they joined and laid all there eggs as instructed...


Posted by:

henk
10 Jun 2016

So one's password is hacked. Pretty important -> the information is out there on the street anyway.
All the LinkedIn info, all you share on all the other platforms, all the info that's sent through - with or without your permission.
And all the info your goverment gathers. And all the info you share with your bank and broker and - what the heck - all the harvesters like Google, Apple, Microsoft and so on.

I think RandiO says it right: when you give away all the facts of your life, why bother wondering who's collecting them?

My advise: change your ID as often as possible (that includes IP adress and passwords).
Or accept that you're an open book....


Posted by:

Geetha
13 Jun 2016

This blog provides useful information about new techniques and concepts.very impressive lines are given which is very attractive.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- [BREACH] Be Careful Of Password Resets (Posted: 8 Jun 2016)
Source: http://askbobrankin.com/breach_be_careful_of_password_resets.html
Copyright © 2005 - Bob Rankin - All Rights Reserved