Account hacked? Change your password twice

 

Gallery

By Nicole Kobie

Posted on 8 Jun 2012 at 11:17

Security experts have warned users to change their passwords twice, after a series of attacks on high profile sites including LinkedIn, LastFM and eHarmony.

LinkedIn was forced to admit the leak after passwords were posted online, but has said it's aware of no unauthorised access attempts. The social network reset the 6.5m affected accounts, as eHarmony and LastFM also warned users to update passwords after being attacked.

Andy Dancer, CTO at Trend Micro, said that's a good first step, but advised anyone using a site hit by hackers to reset passwords a second time.

They should change passwords straight away, and then again when the company has figured out what the problem is

"They should change passwords straight away, and then again when they [the company] has figured out what the problem is," he said. If the hackers still have access, they will be able to steal the new passwords too, he noted.

Bogdan Botezatu, senior analyst at Bitdefender, said LinkedIn has likely blocked the attack by now and new passwords should be safe. However, he did advise users who use a similar password at other sites to also update those credentials.

Email protection

Dancer praised LinkedIn for not simply sending a reset link in emails to affected users, but requiring them to head to the site themselves - good practice for avoiding phishing attacks. "That's a really good step because you know there will be copycat emails... which are phishing emails," he said, advising other sites to use the same tactic to keep users safe.

However, Botezatu said there are "some doubts" as to how well LinkedIn has identified affected accounts. His own "very specific" password is in the leaked list, and he hasn't received a notification - but he's still updated his login details.

"If a service you're using is affected, you don't need any confirmation your account has been affected" before taking action to reset your password, he said. "By the time you've received confirmation, it's often too late."

Notifications

Dancer praised the affected firms for being "generally pretty open" about the attacks, but said companies shouldn't necessarily be forced to rush into divulging notifications.

EU legislation is looking to push companies hit by data breaches to notify users within 48 hours, but that could cut off the ability to forensically study attacks and "figure out what's going on," he said.

With some attacks, it might be wiser to keep quiet for longer, and "not have the bad guys suddenly deleting the evidence," he said. "There is a balance to be struck."

However, he noted that companies seemed to be getting better at notifying users more quickly and sensibly. "Compare it to Sony," he said, referencing the delays and confusion around last year's hacking incident. "There's been a real improvement in how people handle it."