There is a bit of irony in this blog post, if you will. Over my time at Webroot, I have become a major advocate and vocal evangelist of digital security, from talking about major level breaches to sharing my experiences with dating-website scams. My work has focused around the education of those who will listen and read my work on the value of keeping one’s self safe at home, work, and while traveling. Like many others, I never thought (often quite ignorantly) that my information could get out there in a breach. And if it did, I was sure I would be still protected.
This morning, we found out that there was a breach of over 5 million Gmail accounts, all hosted in a plain text file on Russian hacker forums. Naturally, we wanted to see what the data was like, and there it was, plain as day for everyone to see. We started to look up our various accounts, and out of my whole team, I was the only one to appear. Right in front of me, on a list with 5 million other people, was my information. My heart sank a little, followed by the sort of nervous laugh I get at times all while I played through the major steps I had taken to protect myself prior, and what I needed to go change. Luckily, at the beginning of the year, I did my own security update and implemented two-factor authentication across all my major accounts, changed my standard passwords, and updated my security settings. And while we have covered these tips in the past (along with Tyler Moffitt’s security tips), there is no reason we shouldn’t all go back and just do a quick audit to make sure. In this case, there are two major steps I took to ensure my security online with this breach; changing my passwords and making certain that I have two-factor authentication turned on.
Change your passwords: Every three months is the average for a company for changing of passwords, often not allowing you to repeat for at least 10 passwords. This may be an annoyance, but with breaches like this occurring on a daily basis, it’s a necessary step that you should be following at home as well. It’s no longer simply about someone figuring your password out, but rather the idea that any level of breach can grab your standard password and e-mail address, and attempt it across multiple channels until success is found. Changing your password removes this ability. Need help figuring out a new password you can remember? Take your standard password and move one key left or right for each letter. The keystrokes will be similar and it will help product a difficult password. Remember, characters and numbers should be intermixed to increase the difficulty. Reminding yourself with a calendar note to change all your passwords on the same day every three months. I would also recommend looking into a password manager, such as the one included in Webroot SecureAnywhere™ Internet Security Complete for home users, to help with the difficult passwords you now have to remember.
Enable Two Factor Authentication: I have talked about this before (and shared links), and I cannot stress enough the importance of this level of security. With cell phones being at the ready in almost all aspects of our daily lives, this is one of the most convenient and easy layers to implement. By adding this layer, the service will authenticate any login attempt through an independent channel, allowing you to know if someone is attempting unauthorized access. Below are links to the sites listed above for their steps on enabling this step.
- Gmail: https://www.google.com/landing/2step/
- Amazon: http://aws.amazon.com/iam/details/mfa/
- PayPal: https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o
- Facebook: https://www.facebook.com/note.php?note_id=10150172618258920
- Twitter: https://blog.twitter.com/2013/getting-started-with-login-verification
While we are still unsure how the hacker was able to get all this information, it’s clear as day that it is out there, and because of that, vigilance is key. Just as you wouldn’t leave your credit cards laying around, you shouldn’t risk your passwords being out there either. Data is valuable, and the more private or financially focused it is, the more we need to take it seriously. So take these simple steps, get another layer of security established, and make it a habit to change passwords so you don’t become another name on the list as I did. In the mean time, you can check and see if your e-mail is apart of the breach by following this link: https://isleaked.com/en.php
Other helpful links:
- Google Security: https://www.google.com/settings/security
- Facebook Security: https://www.facebook.com/help/securitytips
- Twitter Security: https://support.twitter.com/articles/76036-safe-tweeting-the-basics
- Secure Password Generator: http://passwordsgenerator.net/
- Google Chrome Security Settings: https://support.google.com/chrome/answer/114836?hl=en
- Firefox Security Settings: https://support.mozilla.org/en-US/products/firefox/privacy-and-security
- Internet Explorer Security Settings: http://windows.microsoft.com/en-us/windows/change-internet-explorer-security-settings#1TC=windows-7
- Microsoft Outlook Two-step authentication: http://windows.microsoft.com/en-us/windows/two-step-verification-faq
- Google Two-Step authentication: https://support.google.com/a/answer/175197?hl=en
If the “Activity on this account” report from Gmail only shows access from my session and IP address, why should I change my password?
This is interesting but where is the list of peoples’ names who were hacked? I have all my passwords in a secure program, but I’d like to check out if I’m on the list of 5 million people, just to be sure I’m OK.
grinfocus While the “Activity on this account” report will show you session access, if someone was to get your password, it would not take much to turn this and other security features off or change the settings so that you wouldn’t have access. Changing your password helps mitigate this threat.
Sue Gilliland You can check and see if your e-mail is apart of the breach by following this link: https://isleaked.com/en.php
Webroot Sue Gilliland Thank you for the information. I checked there and I wasn’t affected.
TyroneJ That’s a coincidence. I use Mr. Schneier’s password program. I found out about him from a Webroot discussion. Thanks, Webroot.
what can you do if someone is trying to access your email account several times a day. my wife keeps getting messages that an incorrect password attempt has occured on her account 5-6 times a day for the last 4 days.
Randyman0008 Are you sure that someone is actually trying to gain access? This is something typical that I see in my environment when someone changes their password for email and doesn’t update outside devices; such as a phone, tablet, computer, laptop, etc. I would start there first. If a device is set to “re-check” in to download mail and a password hasn’t been changed on all devices, this is pretty common. Luckily, the domain doesn’t lock her out for multiple failed login attempts. Hope this helps.
I am interested to know if this applied to GoogleApps for Business and GoogleApps for Education accounts or only personal Gmail accounts. Is there any way to tell? Thanks
doug0077 Reports are showing the accounts breached were gotten through other means other than the servers being hacked. You can double check and see if your e-mail is apart of the breach by following this link: https://isleaked.com/en.php
Before you use isleaked.com please read this, there are more well vetted sites that will tell you if your passwords are in trouble…………………http://jameswatt.me/2014/09/10/isleaked-com-registered-2-days-before-gmail-leak-public/
Well, a while back someone somehow found out about a password I use, they used this to hack one of my gaming accounts online, well not really hack but infiltrate, they changed a lot in the security settings, etc. making it very difficult to access. The moral of the story is, no matter how strong your password, there is always a way to access your accounts, to sidestep this I agree with the steps set forth in this blog. Changing passwords every few months is a great idea, if I did this earlier I would not have problems with accounts being taken over by third parties. The two step verification though I have been using for a while, this just makes it more secure in my opinion, the problem is you need a backup code generator linked to the same account, as I forgot my phone at home the other day and could not log into my Google account, which was a hassle. Basically never assume you won’t be on the receiving end of the stick, it can always happen at any time.
thanks for the information iam also one who had be hacked and my cell phone too…i will take your information and use it. thank you for the column it was very helpful…