Are Hackers Using Your Passwords?
Over the last 3 years millions of passwords have been stolen below I explain how you can check to see if you have been a victim.
Have hackers got hold of one of your usernames and passwords? They probably have and you don’t even know it yet. Just look at some of the big companies that have been hacked over the past few years – Adobe (over 38 million customers had there account details stolen), Evernote (50 Million), Apple (12 million), twitter (250,000) and Sony (77 million). This is just a few of the biggest ones but there have been hundreds more. Hackers target things like Usernames, email address, passwords and of cause credit card numbers. People usually have the same username and password for multiple accounts so cracking just one account can leave others exposed.
So why do the big companies keep letting there guards down? How can you tell if you account details have been stolen? So what can you do if you find your details have been stolen? How can you stop them being stolen in the first place?
Attacks on the rise
It seems that barely a week can pass without a report that another company has been hacked – its gotten that common now it only makes the headlines if it has affected tens of millions of people.
Independent security analyst Graham Cluley has been quoted saying “It certainly feels as if successful data breaches are on the rise.” “What we are witnessing is a natural consequence because more companies are embracing the web and storing our personal information online, hackers understand the potential commercial value of stealing information and a failure for adequate security to be put in place quickly enough”
Adobes security was insufficient in one on the most high-profile hacks in recent months. It was initially estimated that only three million customers were affected, but Adobe later admitted it was closer to 38 million customers that had there accounts details stolen. There were some independent estimates that put the figures as high as 153 million, but Adobe claimed that this figure included a lot of duplicate and redundant data.
Adobe reset the passwords and informed all of their affected customers. But this was after a huge file of data was posted on the Internet allowing anyone to read the files. It was shocking what security experts found in the data. Adobe had failed to encrypt the passwords to an appropriately high standard – this floor allowed security researches to calculate the exact password, but the leaked records also showed the user’s password hint in plan text, with there email address. Hundreds of thousands of users had entered hints like “name”, “me” or “birthday”, this left hackers with easy access to account that were protected with an easy to crack password.
This attack on Adobe was much more serious than the one earlier in March 2013 were Evernote had 12 million accounts compromised. Hacker’s uncovered 540 million usernames, email address and passwords, but the passwords were encrypted (Hashed), making it very unlikely the hackers could brake the encryption. Evernote reset the passwords for all its affected customers as a precaution anyway.
The dangers of using the same password
‘Usual’ was the third most commonly used password hint in the hacked Adobe files, (that were used by a staggering 387,222 of their customers) despite being constantly warned not to use the same password for ever site and have a unique password for every site, back in 2012 Yahoo suffered an massive data breach, when all the compromised accounts were analysed they revealed that a staggering 59% of the people that had there accounts accessed when Sony got hacked in 2011 were using the same password on both services. The hackers must have been rubbing their hands in glee when they sore the frequency of the ‘usual’ password hint. By cracking that password they would have access to not only the Adobe account but also any others that were using the same password and username. If the password they used was also the same they used for their email account (the email address was the username in the case of the Adobe victims) the hackers would of struck gold.
Email accounts are a treasure chest of your personal information for a hacker; they can see things like your contacts, credit-card statements, bank statements, online shopping receipts and much more. Most of all hackers want control, what better way to get control than being able to rest your passwords on all the websites you use, they can do this because normally the reset link is sent to the registered users email address, this gives the hacker free rein to go shopping on their credit card if it is linked to any accounts they have access to until the victim realises what is going on.
You might keep wondering do the big well-resourced companies keep letting their guard down? It can’t be beyond their technical capability’s or budget to secure their website properly? Kasperskys senior security researcher David Emm has been quoted saying “it’s not often the websites themselves let hackers in, it’s the company’s own staff”
Emm went on to say, “that many of the recent hacks have involved so-called ‘spear phishing’ attacks. These are similar to the scam emails you might find in your inbox everyday, but are specifically targeted to certain employees of the company. The hackers research the employees to find the most vulnerable one, following them on social networks like Facebook so they can find out who there colleagues are and what software and web services they use at work, once the hacker has the information they need they will then send the employee a targeted email that contains a malicious link, that when clicked, will give the hacker access to the company’s customer database.”
“They structure the email to look like it has come from someone inside the company, it will have some information about them or the company that they have managed to find out about them through social networks and researching to try and catch them off guard,” Emm then went on to say “you click on the link or the attached file because you think it’s a legitimate one and this is what gives the hackers their initial foothold in the company. That human factor is pretty consistent – we find this in a lot of attack.”
Spear-Phishing is not the only way that hackers can gain access to company servers. They can also take advantage of the companies poorly configured web server and carry out internal espionage.
Hackers have even been known to drop an infected USB drive in the company car park hoping an employee will then pick it up and plug it into their work PC, and giving the hacker access to the company’s network.
Emm has also been quoted saying, “there is another reason why we are not seeing more data leaks, and employees are now being targeted outside of the workplace. In previous years, employees would do a majority of their work at their office desk and have the protection of the company’s firewall and security measures. Now employees work on different devices in all different locations.”
“We are just as likely to use their personal smartphone for business use. They can work from home, the airport, a hotel or even a coffee bar (which is unsecure and allows hackers to intercept the data). IT managers now have a much harder job trying to put a security wrapper around each individual staff member.”
How to tell if you have been hacked
So how can you tell if hackers have stolen your details? The European Commission regulations that came in to affect last summer obliged companies that got hacked to inform all their customers that were affected that their data has been compromised. It can be days after the attack has been reported before the company then sends out emails urging their customers to change there password (and sometimes these types of emails get lost in the spam folder).
If all the hacker wants to do is embarrass the targeted company, you will often find a file containing the usernames and passwords of affected customers posted on the internet, often on a site like Pastebin, which lets the hackers store text for a certain period, Major hacks will normally end up on Pastebin’s trending Pastes section.
Don’t assume if you username and password is not on the list of hacked accounts published on Pastebin or other sites you are safe. Hackers can often drip-feed the stolen files so it can take days or even weeks before the full extent of the hack is revealed. If you ever hear that a site you use has been hacked you should change your password just as a precaution, just like you would change your locks after a brake in.
You can always check to see if your account has been one of the many high-profile hacks in recent years that got compromised – these include, Adobe, Sony and Tesco. To check just enter your username and e-mail address at haveibeenpwned. The site was created by Troy Hunt a security software specialist, the site will check all published databases from dozen of attacks and will tell you if it finds your login details. Remember to enter current and previous email address; this could include both personal and business email address and any usernames you can remember.
If you find your details have been stolen, make sure you change your password for the site that has been compromised and any others you might use the same password and user name for. Haveibeenpwned will let you set up email alerts to warn you immediately if your email address shows up in any of the databases. In case you were wondering what ‘pwned’ means it’s a hackers use it as a slang word for ‘owned’.
Haveibeenpwned is a reputable site, that is run by a well-know and trusted member of the security community, but please use caution as there might be copycat sites promising to let you know if your accounts been hacked. And if you use these hackers do not have to bother going to lengths of braking in to a website to gain access to your details as you will of just handed them all they need.