[BREACH] Be Careful Of Password Resets
Netflix and Facebook (and possibly other sites) began resetting the passwords of certain users recently. The affected users were locked out of their accounts; essentially, they found that the lock on the door had been changed and their key no longer fit it. Here's what's happening, why, and the steps you may need to take as a result…
Was Your Password Reset?
To start with, neither Netflix nor Facebook were hacked. These two companies (and probably others) have sent emails to affected customers explaining that because of a major breach at LinkedIn four years ago, their password may have been recently exposed. The message explained what had been done, why, and how to regain access to one’s account.
The reason for these password resets is simple: people are still doing dangerous things like “re-using” passwords; that is, using the same password for multiple sites. If a data thief grabs your LinkedIn credentials, then he may very well have your Netflix and Facebook credentials, too. You can bet he’s going to try your stolen credentials on every major online service, and some selected small ones (like your local bank’s portal).
Netflix and Facebook have been resetting passwords and contacting members whose online credentials have been stolen. But how do the two companies know whose credentials have been stolen, and which victims also have Netflix or Facebook accounts?
Not many years ago, hackers began posting the data they stole in the cloud, on servers open to anyone who wanted to download a copy of the data. This custom caught on as both a verification and boasting technique.
Hacker 1: “Oh, so you say you scored a billion passwords, prove it.”
Hacker 2: “Here they are!”
Yes, it is rather juvenile. Professional criminals don’t give away data that is worth money. Amateurs - many of them basement-dwelling social pariahs - have no idea how to sell big databases of user IDs, so to them it’s worth nothing but bragging rights.
The Keys to Your Kingdom
As a service to their users, companies like Facebook and Netflix buy knowledge of such publicly-available stolen data sets from firms that specialize in tracking the rise, fall, and movement of such things. Then Facebook and Netflix start comparing their databases to the stolen ones.
Wait, Netflix knows my password? Of course it does. If it didn’t, it couldn’t tell whether you entered the correct password when you tried to log in. But I thought that stuff was encrypted? It surely is encrypted; without the appropriate software key, you can’t read any user IDs. But Netflix and Facebook have the appropriate keys, obviously; they made the keys!
So these companies (and any others that wish to) can find any matches between stolen credentials and the credentials of their users. Those matches get their passwords reset and an email that politely and apologetically says, “You wouldn’t have had this inconvenience if you didn’t re-use your password!”
Affected users need only click the “forgot password” link and follow instructions to enter a new password, and regain access to the account.
And of course, if you DO get notified that your password has been exposed, you should change it not only on that site, but on ALL other sites where you used that same password.
Beware the Rogues
Every time a large company does a mass emailing to its customers, there is a sharp upswing in the number of phishing emails related to that company. Hackers reason that users are expecting email from their trusted partners, and tailor their phishing emails to mimic what the real one(s) look like.
The phishing emails often try to obtain your new password. “Click here to reset your password” will take you to the hacker’s site, although it will look comfortingly like the one you expect and trust. There, the trusted company’s password-reset procedure is carefully reproduced. Your responses to the prompts - e. g., “new username, new password, confirm new password” - are copied by the hacker before being sent on to the actual company’s password-reset pages.
The copied credentials are sent to the hacker, who can now log into your account undetected, in many cases. Many systems do not raise security flags if a user apparently logs in from two different IP addresses simultaneously. They should, but don’t hold your breath waiting.
The undetected hacker will steal whatever he can while logged in as you. He may also change your password again, along with your emergency-contact info such as email address or phone number, leaving you stuck out in the cold while he runs amok with your account.
It’s obvious that you should increase your vigilance against phishing emails every time a company with which you do business suffers a data breach. I have written many articles on the subject of “how to detect phish;” just click the link for the search results on this site. http://goo.gl/SfMsZ2
What’s not so obvious is that you need to be on guard against phishing emails that look like they’re from other companies, as well. Even if you follow good password security practice, and don’t re-use passwords, you may still receive and fall for one of these phishing emails.
Are You Smarter Than a CEO?
A data breach need not even be recent to trigger a phishing email. As I mentioned earlier, in 2012, LinkedIn suffered the theft of some 65 million members’ credentials. Just last week, a man who re-used his LinkedIn password on Pinterest and Twitter found both of those accounts hijacked using that old LinkedIn password. The hackers “defaced” his Pinterest pages and tweeted nasty things from his Twitter account.
That’s right, the dummy not only re-used the same trivial password ("dadada") on at least three different accounts, but he also hadn’t changed his passwords in four years! The dummy’s name? Mark Zuckerberg, founder and CEO of Facebook.
Bottom line, if you get an email asking you to click a link to change your password, be on the alert. Instead of clicking that link, go directly to that website with a bookmark, or by manually entering the address. Secure, unique passwords are also a must. And don't wait four years to change your password -- once every 3 to 6 months would be a better idea.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 8 Jun 2016
|For Fun: Buy Bob a Snickers.|
Should Tech Giants Police “Hate Speech” Online?
The Top Twenty
[WARNING] Paper Checks Can Lead to Fraud
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- [BREACH] Be Careful Of Password Resets (Posted: 8 Jun 2016)
Copyright © 2005 - Bob Rankin - All Rights Reserved