Collection #2-5 Breach

Just a couple weeks after Collection #1 Breach was identified, there come Collection #2-5 Breaches. There are an estimated 2.2 billion unique accounts compromised in this breach.

The site we usually check for breaches (HaveIBeenPwned.com) has not been updated yet. In the meantime, you can use the Hasso-Plattner Institute’s tool to check. When you enter your email into this tool, it will email you a report of what has been found in a breach.

Once again, we want to stress that you use a password manager, use hard to type or guess passwords, use 2FA where available.

Collection #1 Breach

There was a new breach found last week and reported by Troy Hunt on January 17, 2019. This one is a massive breach where a collection of emails and passwords of over 2.5 billion rows of combinations. There were over 1.1 billion of these as unique combinations found possibly due to emails being in both upper case and lowercase. There were a total of of over 700 million unique email address with passwords.

Perhaps you are no longer using a particular email that was found in the breach. Or maybe your password has been changed. Chances are you are or were a little lax about your passwords and re-used them on different sites.

You can use Troy’s site https://haveibeenpwned.com to check to see if your email has been found in any breaches. You can use this page to check to see if a password you are using has been in any breaches: https://haveibeenpwned.com/Passwords

We recommend you use a password manager and let it generate secure passwords for you. You would only have to remember that one password and can have access to all your passwords and sync them to your devices. Some managers even offer storage of sensitive documents.

Read Troy Hunt’s article here.

Facebook Breach

By now you’ve heard about last week’s Facebook breach in which 50 million user’s accounts were impacted. This time, attackers had the ability to directly take over user accounts. Facebook logged out 90 million users from their accounts – the 50 million affected and 40 million more that may have been. They also announced that other sites could be affected if you use your Facebook credentials to log into them.

The persons responsible, who haven’t been found yet, were able to get to the access tokens, kind of like session hijacking. The problem was found in the video uploader page. Find out more about it from How-to Geek.

Chrome Extension: PassProtect

There is a Chrome extension to help you pick better passwords. It is called PassProtect by okta. It will tell you right away if your password is in a list of data breaches. It doesn’t necessarily mean your username/email and password combination are in that list but if your password is already in a list of compromised passwords, you might want to rethink that password. You can add it to your Chrome browser.

They do not store or collect any information from you, they simply use the HaveIBeenPwned.com API to check against the list of known breaches. If you want to check a password on your own, you can check it here as well manually to see if it is in the list of breached passwords, because it is the same list. Hackers that have collected passwords will often use them to breach a site and try to guess people’s logins and if you are using a password from a breached list, and they know your email or username, you may find yourself hacked.

PassProtect

Equifax Breach – What you can do

By now you’ve heard about the Equifax breach. Something you may want to do by November 21 is put a security freeze on your account. Until then, they are waiving fees to do this.

A security freeze is supposed to block outsiders from opening an account in your name. This is different from a fraud alert which will only notify you if someone opens an account in your name (even you).

A security freeze has you adding a PIN in order to make any changes. The three major credit monitors are TransUnion, Experian, and Equifax.
Right now you can only put the freeze on Equifax for free. TransUnion and Experian will charge $10 for each. Currently there is legislation pending on making this free. If you are planning to buy a car or house you don’t want to freeze your credit just yet.

Equifax will not be calling you so if you get a call saying it is from them, it is most likely a scam.

If you enroll in their monitoring program, you would waive rights to sue if you are impacted by the breach.

Here are some links:
Equifax blog with explanation of the problem
How to put on and remove a freeze from your account
Form to fill out to get a PIN to freeze account

Passwords: should you use the one you want?

If you are looking for a password, you can check to see if the password you want to use has ever been used. Just go to the Have I Been Pwned website and look at the Passwords link. They now have a list of the passwords that have been breached. You can test your password against it and it will tell you if it’s been breached but it will also tell you it may not be a good password even if it’s not been breached.

Here is what you get if your password has been used before and found on a breach list:

Have I been pwned Pwned Passwords - yes

Here is what it looks like if it hasn’t:

Have I been pwned Pwned Passwords - no

Passwords

Yes, another article about passwords. There seems to be new breaches every week of major sites where passwords are compromised. The Victor crew wants to bring home some information about this.

Only 29 percent of consumers change their password for security. The reason most people change their password is because they forgot it. In an interesting study, Type A and Type B personalities offer different insights.

Type A
Bad password behavior stems from their needing to be in control. They believe they are organized but this puts them at risk. 35% of them reuse passwords because they want to remember them all. Detail oriented people have a system to remember passwords (maybe not such a bad thing).

Type B
Their bad password behavior comes from convincing themselves that their accounts matter little to hackers. They prefer a password easy to remember.

Many people know their password is bad yet they use it anyway. Many were found to include initials, names, pet’s names, important dates, and other information readily available on social media sites.

The longer and more complex the password, the harder it is to crack.

The Victor crew

https://www.helpnetsecurity.com/2016/09/29/risky-password-practices/