Did Hackers Pull Off Massive Security Breach?
Is it time to change your passwords? What the media is hyping as one of the biggest online thefts in history, the “CyberVor” a Russian criminal hacking group, has allegedly stolen 4.5 billion records. This includes 1.2 billion usernames and passwords from around 420,000 websites.
11 August 2014
Is it time to change your passwords? In what the media is hyping as one of the biggest alleged online thefts in history, the “CyberVor,” a Russian criminal hacking group, has reportedly stole 4.5 billion records. This includes 1.2 billion usernames and passwords from around 420,000 websites.
The affected websites haven’t been announced, but Hold Security, the firm that uncovered the theft, said that both small and well-known sites are affected.
But before we proceed, we’d like to point out that this doesn’t affect the Intralinks platform. We apply a very conservative approach to security and access control.
Are You at Risk?
Hold Security said that the CyberVor group was able to steal billions of records by using botnet networks. The hackers’ motive is to make money by spamming users – often accomplished by accessing the users’ email or social accounts to post phony products or messages to their family and friends.
A lot of information on this story is still missing. While many security experts are skeptical (just check out security technologist Bruce Schneier’s recent blog), we still feel users should err on the side of caution and take steps to protect themselves.
Given this situation (or any future ones), be wary if:
- You notice odd messages being sent from your family or friends – don’t click on them
- You see that you have sent something you don’t remember sharing
- You notice nothing: Be cautious and assume you could be at risk
Individuals: Avoid Being a Victim
Concerned you're a hack victim? As a first step, change your passwords – especially on websites you visit that store sensitive data, such as financial or health information.
To lessen the chance of being hacked in the future, here are a few best practices:
- Use two-factor authentication. If the site you’re using offers two-factor authentication, use it to slow down hackers. If you (or a thief) log in from a new computer and enter your password, you’ll have to enter a code before logging in. You’ll know immediately if someone is trying to access your account.
- Monitor your information regularly. Keep track of your accounts on a daily basis so you can catch theft early on and hopefully reduce the damage.
- Create a strong password. Make sure your password is tough to crack (for example, do not use dictionary words) and do not follow the recommendations of password "strength meters" – if the strength check can be automated, so can the attack. Try a password management service such as Password Safe to help you generate unique and difficult to decode passwords.
- Do not reuse passwords. Do not repeat passwords, especially for important applications, like online banking. But to be safe, avoid doing this for any site that requires a login. Remember: It doesn’t matter how strong your password is to PayPal password is if you use the same password for a site that gets hacked.
At the end of the day, organizations you work with must do their part to keep your personal information safe, but taking these steps can help improve your online security.
Companies: How You Should React
As the media reported, criminals were able to gather billions of records and substantial amounts of data. Whether this is true or not, there’s doubt. It’s clear in any case, that many organizations do not take information security seriously.
Businesses, only you can keep your customers’ information safe — by securely storing it.
If you have doubts about security, have your information technology and security teams find out if your website is susceptible to SQL injection. If that is so, you’ll need to create a security response plan and notify users if there is a breach. Hold Security recommends regular penetration testing and audit services to check for further vulnerabilities
Protect the Sensitive Information You Collect
To protect against future breaches, use an enterprise-grade file storage and collaboration solution to store all sensitive information. This solution must have the top security controls and encryption in place to keep data safe. Be sure your information stored and shared stays compliant with your security and privacy policies. Consider only a service that has a proven track record in managing risk and complying with regulatory requirements.
Even if this ends up being just a publicity stunt, hopefully, this news will be a wakeup call for organizations. It’s time to put the proper security protocols and procedures in place.
Meagan Parrish is the Senior Manager of Social Media at Intralinks. She is responsible for social media strategy development and the communications for Intralinks' online communities. Meagan has been creating social media strategies for a variety of companies across verticals for the past several years. She holds Bachelor degrees in Marketing and Finance, with a minor in English Literature.