Catch Of The Week: Ghosts Of Passwords Past – Don’t Get ‘Pwned’!

By BECKY RUTHERFORD
Los Alamos

Interested in tracking when your emails and associated accounts are involved in data breaches?

Consider signing up for alerts on https://haveibeenpwned.com/ (side note – “pwned” is slang for “defeated”, commonly used by gamers).

This site will monitor your email accounts and let you know if they are involved in data breaches.

See screenshot below.

How does it work? Security researcher Troy Hunt runs the site, which monitors data breaches. You can enter your email address, as in the above screenshot, and the site will check and tell you if you were involved in any known data breaches.

You can also sign up to receive email alerts every time your email is found in a new data breach, see screenshot below. There is no charge for this service.

Data breaches are a dime a dozen nowadays. As I type this, there’s probably a new breach being uncovered. Data breaches occur when bad actors breach the security of a company and steal their data. Usually, the data ends up for sale on the dark web, or sometimes just dumped on the internet on sites like Pastebin for all to see. Do not attempt to search out this data yourself; it may take you places that aren’t safe.

What should you do if your email is involved in a data breach? Well, my email was just involved in the LiveJournal data breach. LiveJournal is a blogging platform. They suffered a data breach back in 2014, according to multiple bad actors that are now selling and trading the company’s 2014 databases on the dark web and hacking forums, per reports from ZDNet (highly recommend – great resource for cyber news!).

See screenshot below for an example of the notification they sent me.

I haven’t used LiveJournal in years, but I promptly logged into the account and changed the password to a complex, unique password.

You can also add two-factor authentication (2FA) to most social media accounts, which is always a good idea. With 2FA, even if someone gets your password, they can’t access your account without that second form of authentication, either from an authenticator app, hardware token like Yubikey, or via text message.

If you were involved in a data breach and the password you used was one that you used at other sites, bad news- you are “pwned.” With that leaked information, and some relatively simple to set up automation tools, bad actors can try that email/password combination very quickly across multiple sites. They will break into any accounts where you reused that password. If one is breached, consider them all breached, and if you don’t have 2FA set up on those accounts, you are in for a bad time.

The best way I have found to keep track of all my passwords is via password vault services, like LastPass, Dashlane, etc. For a yearly fee, they will track all your passwords, generate new, complex passwords, and store them securely. I highly recommend adding 2FA if you choose to use any password vault service because the last thing you want is that getting breached!

Stay alert, and watch out for data breaches that you may have been involved in. If you are involved in a data breach, change the password on that site and any other sites you may have used it on. Don’t reuse passwords, make sure they are complex and hard to crack, and use 2FA on every account you can.

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.

LOS ALAMOS

ladailypost.com website support locally by OviNuppi Systems

CSTsiteisloaded