Other issues in this category (26)
Leaks circulating in the wild
Wednesday, March 28, 2018
Media outlets (including the Anti-virus Times ) often publish news stories about data leaks. But, honestly, are we or any people we know ever affected by them? Perhaps, it's only media-generated buzz, nothing more?
In 2016, the cloud-security company Bitglass presented the results of its "Where's Your Data?" research project. To track how stolen personal information ends up in cybercriminals' hands, the company simulated a data leak from a non-existent bank employee. The fictitious employee supposedly leaked a corporate document containing credentials belonging to 1,500 staff members of the imaginary company. The fabricated files incorporated a Bitglass signature, which enabled the company to determine potential buyers' IP addresses and their country of residence once the data emerged on the Dark Web.
So the company fabricated an employee database and "leaked" it to track down parties that may be interested in it. For example, they monitored the use of dummy email addresses.
A few days after the leak, the data resurfaced in over 20 countries on different continents. One out of ten owners of the stolen data attempted to sign into the Google accounts whose credentials were ostensibly leaked. Within 24 hours, five attempts had been made to penetrate the imaginary bank's infrastructure.
Naturally, the leaked files contained no information related to any real people. The credentials were randomly generated. But the data spread all over the Web and drew considerable interest.
And yet leaking information and actually using it are two different things. Information can be put to use months or even years after an actual leak occurred—as soon as someone gets interested in it. So if you haven't felt an immediate impact after a data leak, don't think you’re out of the woods. Things can take a turn for the worse later.
Compromised data can appear on the underground market as separate pieces of information or in a more user-friendly format such as happened to the largest known database of leaked credentials.
Also bear in mind that a piece of relatively unimportant information, such as an email address with no password, can still be abused. Attackers can employ social-engineering techniques to lure a target into divulging the credentials they need. So if you’ve discovered that your personal information has been leaked, don't lower your guard, and pay close attention to all the calls and messages you receive. At this point, following basic security rules (e.g., refraining from revealing your password during a phone call "from the bank") is of utmost importance.
You can use the Data Breach database to learn about companies whose data was leaked.
I downloaded the database a few days ago. I found my old password for Badoo, LinkedIn, MySpace, VK and LostFilm.TV. I also dug out the old password my wife is still using on several sites. I went on to do some online searches for acquaintances of mine—about half of them found out that some of their credentials had been exposed. Most of the passwords were outdated, but some were still being used… So the lesson is to change your password often, and don't use the same password on all sites. :)
The Anti-virus Times recommends
- If you hear about a data leak, change your passwords.
- Make sure your passwords are strong.
The most common password in the database containing 1.4 billion credentials was "123456".
- Never store passwords in your browser's password manager or in text files or in office documents on your computer.
- Don't use a single password to access online banking and entertainment sites.
- Check your account balance regularly.
It can also be a good idea to check your credit history by contacting an appropriate financial institution in your country to make sure that no one has attempted to impersonate you to borrow money from a bank..
- Delete files containing personal information if you no longer need them, and keep the files like that you do need in a safe storage location.