There is a bit of irony in this blog post, if you will. Over my time at Webroot, I have become a major advocate and vocal evangelist of digital security, from talking about major level breaches to sharing my experiences with dating-website scams. My work has focused around the education of those who will listen and read my work on the value of keeping one’s self safe at home, work, and while traveling. Like many others, I never thought (often quite ignorantly) that my information could get out there in a breach. And if it did, I was sure I would be still protected.
This morning, we found out that there was a breach of over 5 million Gmail accounts, all hosted in a plain text file on Russian hacker forums. Naturally, we wanted to see what the data was like, and there it was, plain as day for everyone to see. We started to look up our various accounts, and out of my whole team, I was the only one to appear. Right in front of me, on a list with 5 million other people, was my information. My heart sank a little, followed by the sort of nervous laugh I get at times all while I played through the major steps I had taken to protect myself prior, and what I needed to go change. Luckily, at the beginning of the year, I did my own security update and implemented two-factor authentication across all my major accounts, changed my standard passwords, and updated my security settings. And while we have covered these tips in the past (along with Tyler Moffitt’s security tips), there is no reason we shouldn’t all go back and just do a quick audit to make sure. In this case, there are two major steps I took to ensure my security online with this breach; changing my passwords and making certain that I have two-factor authentication turned on.
Change your passwords: Every three months is the average for a company for changing of passwords, often not allowing you to repeat for at least 10 passwords. This may be an annoyance, but with breaches like this occurring on a daily basis, it’s a necessary step that you should be following at home as well. It’s no longer simply about someone figuring your password out, but rather the idea that any level of breach can grab your standard password and e-mail address, and attempt it across multiple channels until success is found. Changing your password removes this ability. Need help figuring out a new password you can remember? Take your standard password and move one key left or right for each letter. The keystrokes will be similar and it will help product a difficult password. Remember, characters and numbers should be intermixed to increase the difficulty. Reminding yourself with a calendar note to change all your passwords on the same day every three months. I would also recommend looking into a password manager, such as the one included in Webroot SecureAnywhere™ Internet Security Complete for home users, to help with the difficult passwords you now have to remember.
Enable Two Factor Authentication: I have talked about this before (and shared links), and I cannot stress enough the importance of this level of security. With cell phones being at the ready in almost all aspects of our daily lives, this is one of the most convenient and easy layers to implement. By adding this layer, the service will authenticate any login attempt through an independent channel, allowing you to know if someone is attempting unauthorized access. Below are links to the sites listed above for their steps on enabling this step.
- Gmail: https://www.google.com/landing/2step/
- Amazon: http://aws.amazon.com/iam/details/mfa/
- PayPal: https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
- Facebook: https://www.facebook.com/note.php?note_id=10150172618258920
- Twitter: https://blog.twitter.com/2013/getting-started-with-login-verification
While we are still unsure how the hacker was able to get all this information, it’s clear as day that it is out there, and because of that, vigilance is key. Just as you wouldn’t leave your credit cards laying around, you shouldn’t risk your passwords being out there either. Data is valuable, and the more private or financially focused it is, the more we need to take it seriously. So take these simple steps, get another layer of security established, and make it a habit to change passwords so you don’t become another name on the list as I did. In the mean time, you can check and see if your e-mail is apart of the breach by following this link: https://isleaked.com/en.php
Other helpful links:
- Google Security: https://www.google.com/settings/security
- Facebook Security: https://www.facebook.com/help/securitytips
- Twitter Security: https://support.twitter.com/articles/76036-safe-tweeting-the-basics
- Secure Password Generator: http://passwordsgenerator.net/
- Google Chrome Security Settings: https://support.google.com/chrome/answer/114836?hl=en
- Firefox Security Settings: https://support.mozilla.org/en-US/products/firefox/privacy-and-security
- Internet Explorer Security Settings: http://windows.microsoft.com/en-us/windows/change-internet-explorer-security-settings#1TC=windows-7
- Microsoft Outlook Two-step authentication: http://windows.microsoft.com/en-us/windows/two-step-verification-faq
- Google Two-Step authentication: https://support.google.com/a/answer/175197?hl=en