Last week, Twitter acknowledged that their systems had been breached, and that at least 250,000 Twitter users may have had their account information shared with the hacker. According to their blog post, Twitter revealed that the attack may have revealed usernames and email addresses, along with encrypted/salted passwords. While Twitter immediately secured the breach and took steps to reset the passwords for every affected account, the event should still serve as a warning to all: Your Social Media Accounts Are Vulnerable!
Perhaps you’re thinking that a quarter million Twitter accounts hacked isn’t a big deal. Even Twitter was quick to point out that it was only a small percentage of their user base. And it’s true that in this case, it’s likely that since the passwords were encrypted, the hacker would have been unable to access individual accounts, and therefore all they got was a free database of email addresses.
But what if instead of Twitter we were talking about Facebook? If the same small percentage of use data had been accessed we would be talking about a cool million people. And what if the hacker had gained access to more information or unencrypted passwords? Unlike Twitter, Facebook tracks far more user activity. Your likes, comments and shares are all tracked and monitored in order to gauge your individual interests. Putting that kind of information into the hands of a hacker should be frightening, to say the least.
Even worse, Google is providing users and businesses with more and more products and services, but they’re all tied to the same account. It’s convenient, to be sure, but it represents a tremendous security risk. A typical business might have a Google+ profile along with Google AdSense, Google Analytics and Google AdWords profiles. You might even be using Google Wallet or Google Checkout. Throw in Google Drive and the potential for finding sensitive documents you might have uploaded for other employees, and you’re starting to see just how valuable your Google account might be to a thief.
While we cannot do anything about the security precautions that social networks and service providers do or do not take, there are certainly things that we can do ourselves to protect ourselves and mitigate the potential risks.
First, it’s time to change that password! According to Trustwave, a stunning 80% of security issues are due to weak passwords. The number one password in use today? Password1. Seriously. If you’re using the word password as a password for anything, stop reading right now and change it immediately.
Variations of the word password, or welcome, or sequential numbers like 123456 are also common fails.
Instead, follow these guidelines:
- Do not use personally identifiable information like your name, username, birthday, family name, alma mater or hobby. Ever.
- Do not use a word that can be found in the dictionary as your full password. Other languages count, so using the Spanish word for password is just as weak!
- Do not repeat the same password more than once. You MUST use a different password everywhere. Yes, I know it’s hard to remember all those passwords and there are tools and techniques for helping with that.
- A sticky note attached to the monitor is NOT an approved tool for remembering your password.
- If allowed, use special characters.
- Use at least 8 characters. The longer your password, the more difficult it will be to crack.
- Change your critical passwords regularly.
Next, make sure that you pay attention to news regarding security breaches for your service providers. As Twitter pointed out, the New York Times and Wall Street Journal also recently experienced security issues, and it’s a growing problem. The point here isn’t to scare or overwhelm you, but to make sure that you’re paying attention so that you can respond accordingly. If a social network like Twitter gets hacked, it’s an easy matter to change your password. If your bank gets hacked, that’s going to require a completely different response. Subscribe to our weekly digest or, even better, Like our Facebook Page or Circle our Google+ Page so that you’ll hear from us any time there’s security news.
Make sure that you are treating any documents or information that you share with an appropriate level of sensitivity. If you must use a service like Google Drive to share sensitive documents, maybe the documents themselves should also be password-protected or encrypted.
Monitor your accounts in order to be aware of suspicious activity. Twitter is a perfect example of this. I often see clients and even people I don’t know, sending out tweets that are obviously computer-generated spam. The tweets may be ads for making more money or porn or something else. The tweets indicate that the users Twitter account has been compromised and someone else is now using it. The problem is, if you’re not watching your own sent tweets, you would have no idea that your account was in jeopardy.
Finally, make note of any accounts or service providers that are connected. This is particularly common with social networks, where for instance Instagram might have access to post to your Facebook, Twitter, Flickr, Tumblr and Foursquare accounts. If your Instagram account and data were to be compromised, it’s possible that there might be secondary issues with your other accounts. By taking a moment to write down what accounts are interconnected, you can more quickly react to potential issues. If I learn that my Instagram account has been hacked, or read that Instagram’s servers have been breached, I’m going to reset my passwords on Facebook, Twitter, Flickr, Tumblr and Foursquare, as well as Instagram.
Security is a major issue today. Someday we may not have to worry so much about passwords – maybe thumbprints and retina scans will become the norm – but for now, our passwords and security precautions are all that stands between us and identity thieves. Take the time to protect yourself and your data now, and please share your comments and concerns below.
Lock image courtesy of Alexandre Dulaunoy, Flickr.