Oh boy. More data theft drama this week.
On Tuesday, a firm named Hold Security reported that a Russian gang has amassed more than 1.2 billion username/password combos as well as 500 million email addresses. The data came from more than 420,000 sites.
The first time I saw this headline, I thought it was an emergency situation — that something big had just happened. But the announcement is actually the result of months of research. Some of the compromised data comes from purchases of old data from old breaches — ones we’ve already dealt with. The firm has discovered that the Russian gang as a shipload of data for sure, and it is dangerous, but how dangerous is yet to be determined.
Another thing to remember is that the Black Hat hacker conference is this week, and security firms frequently make major announcements at the conference to make a splash. Hold Security hasn’t released the details that tech reporters want on how old the passwords are, whether they are encrypted using “hashing” and other questions. We don’t even know the names of the sites yet.
In addition, Hold Security set up a paid service to help people monitor whether they’ve been hacked. Their site is really confusing. They offer breach monitoring for individuals, but one page says they’ll give you 60 days free — another place says 30. You need to sign up with each of your email addresses. I tried it with two of my addresses, and after 3 hours, I have yet to receive a confirmation. Hmmm….
So what are we going to do? Boy, that’s a good question. I’m nervous, but not panicking. Your best defense against any damage from this breach is to have unique, unguessable passwords for every single site you visit. And the best way to do that is to have a password management service like LastPass. Also, you can throw your email address into this free site to see if you’ve been involved in hacks on 29 major sites.
You should read more about the announcement and the questions around it:
Hi Beth — I know you meant, “Your best defense against any damage from this breach is to have unique, unguessable PASSWORDS for every single site you visit.” Experts further recommend that passwords should have 8 or more characters and include at least one upper case letter, one lower case letter, one number and, if the site allows, one non-alphanumeric character.
Jeff, GREAT CATCH! Thanks for telling me. Post is updated, and face is red. 🙂 And great points about the password rules.