It was recently reported in the New York Times that a criminal gang in Russia has a massive collection of usernames, passwords, and email addresses. It’s truly a massive collection of user information, over one billion usernames and passwords and over 500 million email addresses.
Let’s dig into the details…
How does this happen?
While this gang seems to have been very successful, there is nothing new about how they obtained this information. They started with some a small set of passwords (which they seem to have bought), and then worked their way through one website/company after another, gaining access, installing phishing redirects, and finding other vulnerabilities. Part of their activities also involved the use of a botnet to gather information directly from people’s computers. In the end, apparently, data was taken from over 420,000 websites!
What does this mean to me?
In short, your usernames, passwords, and email addresses may be exposed. Right now it’s not known how many passwords were in the clear and usable or were in encrypted forms. So it’s hard to assess exactly how much risk there is, but, given the scope of this dataset, it’s safe to say that there is a good chance that passwords you use have been compromised. And doubly so if you (like many people) are in the habit of re-using the same passwords at many different websites.
What should I do now?
Right now, you should change the passwords for all of your critical accounts. While you are at it, if possible, set up two-factor authentication for your critical accounts such as your online banking account, PayPal, your primary email account, etc. (Access to your primary email account often let’s people reset passwords to get access to all your other accounts – just ask Sarah Palin or Twitter.)
When you’re doing this look at the guidelines below and make sure to use different passwords for your accounts.(at the very least do this for your most critical accounts.)
What could/should I have done to stay safe (and pinky promise to do in the future)?
- Be sure to use a different password on every site. You should never reuse passwords across websites. Some services like Gmail will even let you make many several passwords so you can even use different passwords on different devices (laptop, smartphone, pad etc.)
- Try and make your passwords complex. Definitely don’t just use dictionary words (I’m talking to you “red sox”), instead try passwords that combine letters and numbers, such as “r3ds0x”. However there’s a debate on what’s best for passwords right now, since unless you’re using a password system you will have trouble remembering “932ujsdo8u23knsdf”. Passphrases that are long but also easy to remember such as “1 2 3 take me out to the ball game 1 2 3” seem to be best right now.
- Use two-factor authentication for your critical accounts. two-factor authentication, like receiving a text to login makes your online accounts much safer and is the 2nd most important thing to do (besides not using “puppy” as your password.)
- Consider a password manager. Using a system like MaskMe to manage your passwords, lets you use easily use unique & complex passwords for every website. You’ll have more secure accounts and you’ll still be able to access your accounts from any device, including mobile. Plus it has the benefit of using a unique email address for every website, so you can control spam if (or when) that website is cracked. Don’t forget that they got 500 million email address as well!