Home Working Security Tips | Have your credentials been hacked?
P@55worDs are like underwear*
Series 2
Ever got one of these from your friends? Ever sent one?
Various accounts are compromised every day, with the common denominator being the conspiracy theories that surround how it could have happened…
“My TV/Alexa/Google is spying on me”
“It’s houseparty / zoom / anyotherapp I’ve just installed”
“It’s 5G networks fault”
Want to know one of the most common reasons and how to stop it?
People reuse passwords. Either they use them in more than one app, or they rotate them, going back to old favourites over time. Or they change them, but only by one digit.
Think of how many different websites, mailing lists, review sites, forums, shopping sites, app stores, ebay, paypal, amazon, google, icloud and fast food delivery sites you may have signed up to in the past. Have a quick count in your head as to how many.
HOW MANY? More than you thought?
So what happens if one (or more) sites is breached, and the credentials made public?
Usually, one of two things :
- The bad guys perform “credential stuffing”. That means they “stuff” the email and password combination into every site they can find (ebay, paypal, amazon)to try and find a match. Then, if they get in, will use your identity on that site to their advantage. Depending on which site it is, the damage could be more or less.
- They will send you an email telling you all of your accounts have been hacked, and to prove it will include the one password they found. Then ask for a ransom.
The best defence is to use multi-factor authentication (Coming to Series 3), and remember why passwords are like underwear*
Secondly, there are strict obligations on companies to report data breaches in a timely manner. These reports, plus analysis of hacked data that’s been made available online, and the work of so-called ‘white hat’ (good guy) hackers, means there are resources to help you find out if any of your accounts have been compromised in a data hack.
Have I Been Pwned? Let’s check…
The best resource is to look on a site called haveibeenpwned.com and input your email address. Go on – try it now. If you don’t hit a match you are in the minority. New breaches are published all the time, so check back often, or better yet sign up to an alerting service.
If you get a hit, make sure the credentials used on that site aren’t repeated anywhere else.
So remember, don’t get stuffed!
*Don’t show them to anyone, don’t share them with people, and change them regularly!
