Another Data Leak In Russia: What Can You Do To Keep Your Credentials Safe?
It has been reported today that a Russian hacker has obtained hundreds of millions of login credentials for a number of different email services. It is claimed that the largest proportion of these is from Mail.ru (Russia’s most popular email service), but millions of Microsoft, Gmail and Yahoo accounts have also been leaked.
The data breach was revealed by Hold Security, when their researchers found an individual ‘bragging in an online forum that he had collected and was ready to give away a far larger number of stolen credentials.’ (Reuters)
Strangely, the hacker in question has asked for only 50 Roubles (just under £0.53, or $0.76) for the entire data set. In addition to this, Hold Security was able to acquire all of the information free by agreeing to post favourable comments about the individual on hacker forums. This low price and the willingness to release the data widely is concerning as the information could be used by multiple buyers. It could also be used multiple times to get into not only the email accounts in question, but also the victim’s other accounts – in the hope that they use one password for multiple online accounts. If you use any of the listed providers, it might be a good idea to change your passwords as a precaution.
Unfortunately, data breaches and security leaks are part of the modern world, and while they are avoidable, they can happen to anyone. Like more ‘traditional’ burglaries, there are a vast number of preventative methods and technologies to heighten security. Here are a couple of simple tips for protecting online credentials, they are basic yet important security practices that should be encouraged organisation-wide.
In order to add that extra padlock to your estate, you can:
1. Choose a complex password. This is often said, and sadly often ignored. In a world of social media, it is very easy for hackers to find out the components of common passwords – birthdays, pet names, mother’s maiden names and first schools are all out there for many to see. Sometimes, it’s even easier, last year SplashData analyzed more than 2 million leaked passwords in 2015 and found several trends in the most common ones: 123456, password, 12345678, qwerty – notice any trends? A bad memory isn’t an excuse for simple or universal credentials anymore – there are a number of password management tools out there which can help on both an individual and enterprise-grade level
2. Make sure you change your passwords regularly, approximately every 3 months will help keep phishers at bay. If you’re an admin for your organisation, it’s easy to set group password policies on expiration in the new Office 365 Security and Compliance Center (we will be blogging on this too). This means that your user is automatically reminded and prompted to change their password as regularly as you require.
3. Ensure that you are careful when giving out any personal information such as your name, address, phone number or financial information online. If it seems unnecessary, be wary about providing these details, and perhaps seek further explanation of why it’s needed. As simple as it sounds, protecting your data is partly down to common sense, if something looks suspicious or out of the ordinary – think twice before you go any further.
4. Finally, enabling two-factor authentication – where possible – is a very good idea. As a security process where the user provides two means of identification it is one of the main ways to add an extra layer of security to your credentials. The two elements are usually an individual’s log in credentials, and the other is often a code or one-time sequence, which can be to delivered to another device, or sent through another channel (such as emailing another verified email address or phone number).
A growing majority of online providers, vendors and services (ourselves included) offer two-factor authentication to protect their customers, and it is recognised as one of the primary ways to keep your accounts safe. As high-profile data breaches continue to occur, many providers continue to develop technology to counter them, but it is important to remain vigilant. Data protection and security are two of our highest priorities, which is why, as an organisation we do all that we can to maintain it, while also encouraging our users to put an extra padlock on our application, through the use of two-factor authentication.
It’s good practice when these sorts of breaches are reported to check if your accounts have been compromised. A great resource for this is: https://haveibeenpwned.com/- and you can also register your email so you’ll be notified if your account is compromised in the future.
Cogmotive is the leading global provider of enterprise level reporting and analytics applications for Office 365. Find out more now.