Account hacked? Change your password twice
By Nicole Kobie
Posted on 8 Jun 2012 at 11:17
Security experts have warned users to change their passwords twice, after a series of attacks on high profile sites including LinkedIn, LastFM and eHarmony.
LinkedIn was forced to admit the leak after passwords were posted online, but has said it's aware of no unauthorised access attempts. The social network reset the 6.5m affected accounts, as eHarmony and LastFM also warned users to update passwords after being attacked.
Andy Dancer, CTO at Trend Micro, said that's a good first step, but advised anyone using a site hit by hackers to reset passwords a second time.
They should change passwords straight away, and then again when the company has figured out what the problem is
"They should change passwords straight away, and then again when they [the company] has figured out what the problem is," he said. If the hackers still have access, they will be able to steal the new passwords too, he noted.
Bogdan Botezatu, senior analyst at Bitdefender, said LinkedIn has likely blocked the attack by now and new passwords should be safe. However, he did advise users who use a similar password at other sites to also update those credentials.
Dancer praised LinkedIn for not simply sending a reset link in emails to affected users, but requiring them to head to the site themselves - good practice for avoiding phishing attacks. "That's a really good step because you know there will be copycat emails... which are phishing emails," he said, advising other sites to use the same tactic to keep users safe.
However, Botezatu said there are "some doubts" as to how well LinkedIn has identified affected accounts. His own "very specific" password is in the leaked list, and he hasn't received a notification - but he's still updated his login details.
"If a service you're using is affected, you don't need any confirmation your account has been affected" before taking action to reset your password, he said. "By the time you've received confirmation, it's often too late."
Dancer praised the affected firms for being "generally pretty open" about the attacks, but said companies shouldn't necessarily be forced to rush into divulging notifications.
EU legislation is looking to push companies hit by data breaches to notify users within 48 hours, but that could cut off the ability to forensically study attacks and "figure out what's going on," he said.
With some attacks, it might be wiser to keep quiet for longer, and "not have the bad guys suddenly deleting the evidence," he said. "There is a balance to be struck."
However, he noted that companies seemed to be getting better at notifying users more quickly and sensibly. "Compare it to Sony," he said, referencing the delays and confusion around last year's hacking incident. "There's been a real improvement in how people handle it."
Can companies out there PLEASE stop storing passwords as plain text! It's the absolute height of insecure stupidity. Passwords should only EVER be stored as a one-way encrypted hash. If Linkedln and Last.fm had done this, there wouldn't be a problem in the first place.
Once again, the average punter pays for the stupidity and insecurity of daft companies.
By Trippynet on 11 Jun 2012
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software