Three big numbers came out this month, revealing the scale of hacks at MySpace, tumblr, and LinkedIn. The good news is that all of these hacks took place a long time ago, and if your information got out, chances are you’ve changed your password since then. The bad news is that there’s no telling how long this information has been public. The worst news of all? A lot of companies aren’t staying ahead of the game when it comes to securing passwords stored on their servers, but neither are users when it comes to picking them.
Several lists of information containing emails, user names, and passwords went on sale on the seedy underbelly on the internet this month (price quoted in Bitcoin, of course), and those lists reveal the scale of some major hacks. Earlier this month, tumblr announced in a blog post that they became aware of a 2013 breach of their servers recently — we now know that affected 65 million unique email addresses. Another list of LinkedIn accounts and passwords stolen in 2012 totaled over 100 million, while a MySpace breach estimated to have taken place in 2008 or 2009 affected 360 million users.
In the present, this probably doesn’t matter to you. If you have an account on any of those sites and changed your password at any point over the intervening years, you’re fine. Considering that tumblr forced you to change your password if you were affected, that’s one down for sure. And, chances are your 2008-2009 MySpace page doesn’t exist anymore, at all. The LinkedIn breach is nasty, but as long as you’re employing good password practices and changing regularly, you have nothing to worry about.
Instead, this month’s news is partially a sober reminder of how insecure online accounts are and partially another sober reminder about how dedicated hackers are to exploiting that insecurity. It’s a pretty good rule of thumb to assume that what we know is dwarfed by what we don’t know — in other words, if these are the breaches we know about, imagine how many we haven’t heard about yet.
And, the arms race is heating up — in none of these three cases did the companies store unencrypted, plaintext passwords. They were all hashed, but LinkedIn and MySpace didn’t add salt before hashing — often, a random string of characters will be added to a user’s password to change the hash result. All three sites used SHA-1, which is easily exploited because the same password will always generate the same hash. In other words, ‘password1’ will always generate the same string of characters when it’s encrypted using SHA-1, allowing hackers to create lists of hashes for commonly used passwords. At this point, there’s cracking software that can easily do this for all passwords that use only letters and are fewer than ten characters long, which is why so many sites require you to use a mix of lowercase, uppercase, numbers, and special characters. Although tumblr required users to change their passwords, they did use salt, making their passwords more secure and harder to crack.
It’s all a bit confusing, but if there’s one takeaway, it’s that making passwords with a mix of lowercase letters, uppercase letters, numbers, and special characters is like being told to eat your vegetables as a kid — you might not want to do it, but your parents aren’t lying when they say it’s good for you. We can (and should, and will) harp on companies to improve their data security, but hackers will keep improving their techniques, too — there’s only so much companies can do, especially when hundreds of thousands of users are still using password1 (or at least were in 2008).
As always, if you’re worried you’ve been the victim of a hack, you can check Have I Been Pwned to see for sure.
Via Naked Security