In recent weeks privacy has been lost for many. Social media continues to be an avenue where people get a false sense of security. However, over the last few weeks many have learned the hard way that things are not always what they seem. Just to name a few of the major leaks of late, vk, myspace, linkedin, teamviewer, and now twitter.
Not all of these leaks were created equal; some could have been prevented by the companies and others by the users. VK is a social media giant in Europe. They were breached and the user database stolen. This is not that uncommon now, but what is even worse is that there was no hashing or encryption on the database. This means that all records where in plain text for over 100 million users. What does that mean? I am glad you asked. Suppose Sally has a password of 123456. In plain text, it is just that, plain text- human readable. But best practice tells us to hash passwords so in the event of a breach, the passwords are better kept a secret. A common but not so secure hashing algorithm is SHA1. using SHA1 123456 becomes 7c4a8d09ca3762af61e59520943dc26494f8941b . Every unique password gets a unique hash, sounds good right? But these hashes can be precomputed from wordlists. So with a little bit of time, common or weak passwords can easily be recovered by comparing the precomputed hashes to those from a leak. This is why you should use secure passwords. For tips on that see our guide for secure passwords.
Several years ago linkedin was breached and their user database leaked. The details were hashed and some users asked to change their passwords. However, the breach was much larger than originally thought. Initially it was reported that only about 6.5 million accounts were affected. But, now we know it was actually well over 100 million. Myspace was hit as well exposing millions of accounts.
Attackers were happy to get their hands on data from these breaches, because users tend to repeat passwords for multiple sites. Now scripts were easily written to automate trial and error with say, “for xyz website try username xx and password yy.” After going through the lists, now all of a sudden you have millions of valid user accounts for other websites. It was recently discovered over 30 million twitter account details floating around believed to have been a direct result of the above mentioned breaches. This is exactly why users should use a different password for every site. Consider a password manager such as lastpass and take advantage of the secure password generator.
To better protect yourself use 2-factor authentication when available. There are multiple flavors of authentication- something you know (password), something you have (key), something you are (biometrics, ie, fingerprint). 2-factor authentication takes advantage of 2 of these instead of just one. Most social and email sites allow for 2-factor authentication by letting sending a code to your phone when you try to log in. If an attacker tries to access your account, you get the code and not them preventing them from fully authenticating. This is typically not enabled by default, but you can go to your account or security settings and enable it.
As a user of the world wide web you cannot always protect yourself, a trust is in place for sites to secure your information. However, as we have seen recently, many users do not take the initiative to secure what they can either.