Lesson from Recent Data Breaches: Passwords Matter!

| No Comments | No TrackBacks

The security breach at LinkedIn has been big news recently.  It's understandable, since the breach exposed the passwords of potentially millions of professionals to hackers; if their accounts were accessed, this could lead to a significant amount of personal information being accessible to identity thieves and scammers.  Unfortunately, the news about LinkedIn may have been so big that it overshadowed other breaches that came to light afterward.  While almost everyone has heard about the LinkedIn breach, you may not be aware that Last.fm and eHarmony have suffered data breaches recently as well.

As with the LinkedIn breach, passwords from eHarmony and Last.fm have been leaked in their "hashed" form, which means that they're posted as an encrypted list.  Provided that someone has the knowledge and software to decipher the hashed passwords or the password is included in a search engine-indexed database, however, they can decrypt the hashes and recover the original password.  Including the LinkedIn breach, several million passwords have been released from these sites; if you have an account on any of them you should log in and change your password immediately even if you haven't been contacted by the site administrators about your password possibly being compromised.

Probably the worst part about these breaches is that for the most part nobody seems to know exactly how bad they are.  LinkedIn hasn't been the most forthcoming about the extent of the damage and eHarmony claims that only a "small portion" of its user-base was compromised despite 1.5 million passwords being released online in a single password dump.  Last.fm may be in the worst shape of the three, however, since rumors are going around that passwords have been available from the site for several months and the company is just now discovering the breach.

It was just last week that I was offering mild praise to the University of Nebraska on how it handled a data breach; unfortunately you won't be seeing something similar today.  The handling of the breaches at LinkedIn, Last.fm and eHarmony seem to be following the same "nothing to see here" corporate mentality that so many companies have used when reporting security breaches: most statements on the severity of the problem seem to be rather vague when statements are made at all, and for the most part there's more emphasis on the fact that the millions of users who had their passwords compromised were only a portion of the user-base than there is on what the companies plan to do about the problem.

I've said time and time again not to use the same password on multiple accounts, and be careful about sharing TMI, --and these latest breaches just serve to drive these points home.  Think about what potential identity thieves could learn with access to these three accounts... they would have your employment history, your likes and dislikes, and even the type of music that you listen to.  They could use your accounts to spam other users, or target identity theft tactics more precisely at you.  And if you're not vigilant in protecting your online identity, keeping track of your personal information and changing your passwords regularly, you might not find out about it until well after the damage has been done.

No TrackBacks

TrackBack URL: http://www.givemebackmycredit.com/cgi-bin/mt/mt-tb.cgi/1025

Leave a comment


A memoir exposing the steep price consumers pay when facing mortgage servicing errors, inaccurate credit reporting, illegal debt collection practices, identity theft and weak consumer protection laws. THE BOOK » DENISE'S STORY »