It seems like every other week there is a new data breach in the news. Some notable incursions of 2016 were LinkedIn, Yahoo, and a new one as of December 5th of 2016, DailyMotion (a video hosting service).
These were all huge attacks with considerable compromises; Yahoo topping the charts with nearly 1 billion accounts leaked. In the face of such invasive assaults, we’re left asking, why do these breaches occur? And what can we do to protect our privacy and our organizations from future attacks?
There are many reasons why adversaries attack websites, but primarily cybercriminals are looking to make money. Often, these mischievous villains are looking to gather large lists of email addresses to target with phishing links. With 80 million accounts, they know they are bound to get thousands—possibly millions—of people to click a link and fall into their trap. Once a person has entered their username and password on a fake website, the thieves attempt to use these credentials to log in to email and financial accounts, preying on the knowledge of people’s tendency to reuse credentials over multiple sites.
Once a hacker gains access to emails and passwords through a data breach, they often skip the phishing phase and create a software program that attempts to use every stolen login credential on a few key websites such as PayPal, bank homepages, and email login pages. Hackers understand that it is much easier to target many people at once than to focus on one person at a time. With access to an email account, a criminal can reset passwords and gain access into financial accounts as well. Therefore, you should protect your e-mail password like you would a bank account password.
How can you protect yourself from potential attacks?
Answer: Do NOT reuse passwords on multiple sites. Even similar passwords are useful to an attacker when a computer has been setup to automatically test them.
How am I supposed to remember that many passwords?
Answer: Use a password manager such as LastPass to synchronize passwords on every device you use. For help setting up LastPass, check out their support center here: LastPass.
LastPass, however, isn’t a “set it and forget it” solution. With any security practice we want to make sure we maintain it. Which leads us to our next piece of advice:
Change passwords every 6 – 12 months and use LastPass’s “Generate Password” feature to help simplify. We recommend using a minimum 12-character password for adequate security.
How can I know if my information has been included in a new breach?
Answer: HaveIBeenPwned is an excellent source of information on data breaches. Look for the “notify” tab at the top of their web page to sign up for notifications about when your accounts have been included in a breach.