More than a Billion Passwords Stolen by Russian Gang

Ready to change your passwords again?

If you didn’t bother changing your password when you heard about “Heartbleed” leaking out passwords, you might want to consider changing your online passwords today. In the largest known collection of stolen internet credentials, a Russian tech gang has reportedly acquired an estimated 1.2 billion username and password combinations, along with over 500 email addresses.

A security firm based out of Milwaukee, Wisconsin conducted an 18 month study of the security breach. It has not announced specific sites that were hit, citing non-disclosure agreements and concerns for websites that still may still be vulnerable. An independent security expert confirmed the claims as authentic.

The hackers used unsuspecting zombie computers with viruses to allow a single operator to control a large group of virus infected computers to test for SQL vulnerabilities on servers.

When vulnerability was discovered on a website or server, hackers then executed SQL injections to send malicious commands to the website. In this way they were able to collect databases full of user names and passwords. Small and large websites have been affected worldwide by this hack.

So far, the stolen data has only been sold in small quantities on the black market, and used to access social media to send out spam messages. Hold Security had originally offered to check security breaches for a fee of $120 but seem to be revising their efforts after some criticism.

So what’s a person to do when it seems like keeping data secret is a losing battle?

  • Change your passwords, and make sure they are strong, secure passwords with capital letters, lower case letters, numbers, and special characters.
  • Businesses should run a check with the webmaster to see if their websites are vulnerable to SQL attack.
  • Don’t use the same username/password combination for all the sites you access, particularly important ones like banking.
  • Don’t panic, and have a plan in place in case you are a victim of data theft.

For more information on keeping your data secure, visit our blog posts on Heartbleed, and Preventing your Email from Getting Hacked. Or you can contact us here at Appletree MediaWorks for more information.

Hacking for password

How Do You Prevent Your Email From Getting Hacked?

Duplicating Usernames and Passwords is Risky

Database vulnerability

The truth is many online databases do not encrypt your username and password at all. So one dishonest employee can have thousands of passwords in one quick database export. If one online shop gets compromised, then all of the places you use that username and password are now vulnerable. Use a different password for every website login you create and use a specialized program to store those big beautiful passwords.

Brute force attacks

Many attacks are brute force attacks in which a computer program is used to try lots of combinations of passwords rapidly. The simpler your password, the easy to ‘guess’ by the program. Again, if your password is figured out and you use the same on multiple websites, your risk is increased exponentially. Use different passwords to prevent getting your email hacked.

  • Use different login credentials and complex passwords on every website you use. We featured an article on our blog featuring more information and tips about passwords.
  • Just say no to browsers storing passwords! When Internet Explorer or Mozilla asks to store a password for you, ALWAYS say NO.
  • To remember all your new passwords, use a service like 1Password or KeePass to create and store login information. KeePass is free!

Keep Your Software Updated

Out of date software is risky, especially web browsers and other web-based programs including browser plugins. Usually updates are released for software in response to a security hole or technology expansion. Many programs update automatically, but set your phone or calendar to remind you to check on these things every few weeks.

  • Keep Windows and your antivirus software up to date.
  • Run updates for your programs when they ask. If a program is asking to access your computer that you don’t recognize, choose No for now and check out Google to see what is suggested for that update name.

Pay Attention to Login Sessions

Some sites will tell you the last time you logged in successfully. Change your passwords if things seem fishy. Some programs such as Facebook and Gmail monitor your logins, other programs will let you setup verification by text messages.

  • Use verification by text message, if a program asks if you’re using a public computer to login, say yes if you are.
  • Do not create obvious security questions in which people can find the answers by searching Facebook or other sites.

Think Before You Click

If you receive an ambiguous or unexpected email, even from a relative or close friend telling you to click a link. Don’t do it. Contact the person over the phone and ask what the email message. Same goes for attachments. If the email does not look like something your contact would send you, QUESTION it!! Email spoofing is common too, for example there have been very real looking emails floating around that appear to be from the IRS, but the attachment is a virus.

  • Ignore and delete strange emails even if they’re from friends, family, and banks. Don’t click the link or open the attachment – it’s a surefire way to get a virus.
  • If you find out your account has been hacked and an email was sent from your account, first change your password. 2nd follow up with those that received your hacked email message. Tell them your email was hacked and that they should DELETE the email they received from you.

Watch Where You Login From

Be careful if you are logging in from a public computer or a network that is not secure. Do not stay logged in, when you are done with the website be sure to log out. Connecting to public WiFi can open the door to hackers.

  • Be sure your computer has a strong firewall. The annoying extra click to allow something to access or update your computer is better than a hacking mess from keeping the door open.

How do you prevent your email from getting hacked? As identity theft and account hacking becomes more rampant, there is no foolproof way, but you can minimize risks by using our suggestions. It is best to set up your accounts so that if one gets compromised not all of them do. Have a plan set up on what to do if an email gets hacked or a credit card gets stolen, and know that it is extremely common, if problematic.

If You Do Get Hacked

  • Change your password if you can still get in to your account.
  • Follow the directions in the help center of the website you’re trying – most sites have guides on what to do.
  • Scan your computer for viruses and malware, then schedule future scans to happen weekly.
  • Let people know you got hacked and not to click on links, and pass along info on what to do if they did.
  • Report the incident to the website. You may get access to identity protection services through the hacked site.

Extra Credit

Protecting your credit card information online goes hand in hand with your email getting hacked. We suggest using a payment service such as Paypal to store your credit card number rather than typing your credit card number directly into a website. Websites and stores are not supposed to store credit card numbers in their databases….but there are no internet police enforcing this.

Follow Appletree MediaWorks on Facebook or subscribe to our website blog RSS feed to keep up on topics like this.