Mega hacks should prompt internet companies to go the extra mile
Companies can fix compromised passwords before the hackers do,
More than a billion log-on credentials and passwords have been leaked online from just 10 ‘‘mega hacks’’ of services such as LinkedIn, MySpace and Ashley Maddison.
The scale of the leaks raises the thorny question of whether online services that were not hacked have a duty of care to warn customers if shared credentials have been contaminated.
To explain: We all know the advice that you should use a different password for every online service. But back in the real world many people use the same username and password for a lot of them.
That creates the risk that if one service is hacked and credentials are dumped on the internet, fraudsters could try pot luck and use them to target a raft of other online services.
A hacker will know for example that if someone has the username ‘‘JohnSmith803’’ and the password ‘‘99Dalmatians’’ on LinkedIn, there is a pretty good chance that if they type the same username and password into Facebook, it will open up an account there too.
Recognising the risk, a few large internet companies have taken the laudable step of trawling through the lists of stolen usernames that have been dumped on the web.
They have then proactively warned customers to change their passwords if they find a match with usernames on their own services.
Internet radio service Pandora emailed warnings to some of its customers after usernames and passwords from a major 2012 hack (possibly LinkedIn’s) were posted on the web in June, for example.
‘‘In order to protect Pandora listeners, our security teams analysed the data and found that some Pandora usernames were included in the list of usernames and passwords leaked on the internet,’’ a spokesman explained.
‘‘As a precaution, we wanted to make those listeners aware of a situation and encourage them to change their password as many people often use the same password across different accounts.’’
If that is a full description of the analysis Pandora did, then the company will have issued a lot of unnecessary warnings to people who used a different password for Pandora and the hacked service, as well as helpful warnings those people who had shared passwords.
Although it might raise privacy concerns, online businesses could reduce unnecessary warnings by developing an automated tool to enter both dumped usernames and passwords into their log-in pages – just as a hacker might do – to check if they worked.
Sure, it’s not strictly their responsibility to do that, but in the case of mega hacks such as the LinkedIn and MySpace compromises, that could save a lot of headaches for a lot of people.
Internet users certainly can’t rely on this kind of proactive security alert though.
Whatever your online habits, it is always a good idea to set a genuinely unique password at least for your bank, your internet account and government identity service RealMe.
NetSafe spokesman Chris Hails advises the same goes for any online service that has a credit card connected to it, which he advises should also be defended with unique credentials.
‘‘People almost need to take a risk assessment view of the services they are using,’’ he says.
‘‘That sounds a bit over-the-top for the average home user but we have seen cases where a Facebook account has been hacked and someone is running a business page and they have their credit card details in there, and we see their advertising account get used to rack up $100,000 of advertising.
‘‘There is all kinds of value in these accounts. You can crack someone’s email and scam their friends and family.’’
It is fantastic that companies such as Pandora are trying to help users out, he says.