People throughout the world are being warned to update their passwords for social media sites after a massive number of login credentials appeared for sale on the dark web in recent weeks. The latest warning surrounds the possibility that Twitter passwords have also been hacked by a suspected Russian hacker; though Twitter is strongly denying that its systems have suffered a breach. So, what is going on?
Many Facebook and Netflix users have already been asked by those respective companies to update their passwords; a request that appears to foreshadow knowledge of a criminal penetration at the hands of a hacker. According to a security researcher Graham Cluley, however, the request is being made for people to update their Facebook credentials, not because of knowledge of a hack on the social giant itself, but because of the worry that separate breaches of LinkedIn, MySpace, and Tumblr accounts may have given the hacker access to other sites too.
This seems like a reasonable possibility, considering that many people use the same email and password combination for a number of sites that they use. The result of which, is that when the suspected Russian hacker gained the login credentials for Tumblr, he may also have ended up with the necessary login details for Netflix or Facebook too.
Encouraging people to update their passwords, at this sketchy time, can be understood to be a proactive method of helping Facebook users to protect their accounts – despite the fact – that the breach is believed to have occurred to entirely unaffiliated websites. The message that Facebook has been sending users reads as follows,
‘Recently, there was a security incident on another website unrelated to Facebook. Facebook was not directly affected by the incident but your Facebook account is at risk because you were using the same password in both places. For your protection, no one can see you on Facebook until you finish.’
At the moment, it is not clear how Facebook has been able to so confidently single out the users that have received the message (or how it appears to know that those users were using the same credentials on both accounts).
It seems more than likely, however, that if Facebook developers do have any information to base their targetted request on; it is knowledge about the same email address being used to join both websites (rather than the password itself). Perhaps proving that these firms are attempting to work together to stop people being hacked (by cross-examining their databases of email addresses). This detail, however, remains unexplained for the time being.
The reuse of passwords for joining different online sites (although a generally practiced procedure) exposes Internet users to the possibility of huge cross-infection issues. If it is true that as many as 32 million Twitter logins are being sold on Tor marketplaces (the Dark Web), and yet the site was not directly breached: It would appear that a great many Internet users are choosing to use the same email/password combination for a number of different sites.
Although 32 million Twitter passwords, sounds like a huge number. When you consider that LinkedIn previously had credentials for 177 million accounts taken from them and that MySpace had 362 million logins stolen too. It becomes clear that the 32 million Twitter credentials that have now appeared for sale on the Dark Web could indeed belong to users who were simply using the same email and password combination for two of their subscriptions.
Michael Coates, Twitter’s information security officer, has already gone public explaining that Twitter stores their passwords using a strong B crypt hashing algorithm: Twitter apparently completely satisfied that a direct penetration of its systems has not occurred,
‘We are confident that these usernames and credentials were not obtained by a Twitter data breach—our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks.
A number of other online services have seen millions of passwords stolen in the past several weeks. We recommend people use a unique, strong password for Twitter.’
How to keep account passwords safe?
Although remembering different passwords for different sites is hard (especially these days when people wish to join so many different services); it remains highly important to do so.
Strong passwords should be long, complicated and unique. Made up of a random string of letters and numbers, including both lowercase and uppercase letters. A truly strong password – is only truly so – if it is so hard that you can’t possibly remember it off by heart.
With this in mind, it becomes obvious that you will need to have your passwords listed somewhere on paper. My advice is for you to buy a second-hand book from a charity shop and put it on your bookshelf amongst all your other books. In this book, you can write your passwords down and check on them when needed.
Although having your passwords written down physically may seem like a risk, the reality is that hackers are never going to enter physically into your house. On the other hand, it is highly likely that they could gain access to the login credentials for one of the websites that you have joined.
At that stage, if you have used that same email/password combination across various sites, the cyber criminal may also figure out how to get into your other accounts: Something that would be impossible if you were using strong, unique, passwords.
Perhaps you may be worried (as you are reading this) that if you write your passwords down in a book a family member, friend, or partner, may become privy to your hiding place (either accidentally or on purpose). In order to protect yourself from that much more personal kind of account infiltration, it is advisable to always add a few characters to your passwords that are not written down. Allow me to explain:
If your password is written down as “PLoi98JJH5hoT7Pde”, but your actual password is PLoi98JJH5hoT7Pde777. By adding the 777 to the end of the password (but keeping that part of the password memorized only) you now have a password that is not only strong enough to not be directly hacked by a cyber criminal: but that is not able to be stolen physically by an untrustworthy family member or friend.
Just days ago, news emerged that Mark Zuckerberg – the founder of Facebook – had his Twitter and Pinterest accounts penetrated by hackers calling themselves “OurMine Team”. This was achieved by using previously stolen credentials that Zuckerberg uses for his LinkedIn account. Those credentials were stolen back in 2012, but only just used to hack into his separate accounts. Evidence that anybody can fall victim to bad cross-site password operational security (opsec).
The moral of the story? If you haven’t changed your passwords recently – do it – because a lot of hacks have occurred and it is not yet fully clear how the details were illegally gathered (it still remains conceivable that Twitter logins were harvested using malware).
Considering that this latest round of hacking has once more proven 123456 to be the most popular password of all, while you are updating your passwords: Why not make the effort to make them unique and complicated? So that you are amongst the clever minority that follow good opsec practices?
Practices that are likely to keep your accounts safe while others are penetrated! You have been warned!