Hold Security have reported that they've identified the theft of 1.2 billion username and password combinations that have been stolen by a Russian cybergang from various web and FTP sites.
"Whether you are a computer expert or a technophobe, as long as your data is somewhere on the World Wide Web, you may be affected by this breach," Hold Security say in their report. "Your data has not necessarily been stolen from you directly. It could have been stolen from the service or goods providers to whom you entrust your personal information, from your employers, even from your friends and family."
Hold Security explain that the hackers "didn't just target large companies; instead, they targeted every site that their victims visited. With hundreds of thousands sites affected, the list includes many leaders in virtually all industries across the world, as well as a multitude of small or even personal websites."
With the 1.2 billion usernames and passwords stolen, and associated with 500 million email addresses, the sheer scale of the breach makes it likely that you or your business may have been affected in some way by the breach. Our advice is to ensure that your business passwords are strong and that you have good password practices in place within your business. Strong passwords make it extremely difficult for hackers to crack the password hashes that are typically stolen in these types of breaches. If you are concerned that this breach may have affected your business, then it's a good time to improve your password strength and practices. Password security is vital to keeping your identity safe online and with a few simple changes you can improve your online security.
Tips on making your passwords strong:
- Make all passwords at least 15 characters long
- Use entropy in passwords. They should contain uppercase & lowercase letters, numbers & symbols.
- Avoid the use of dictionary words or common names, and avoid using any personal information.
- Don’t replace 'i' with a '1', or 'a' with a '4' etc. These are well-established password tricks which any hacker will be familiar with.
- Avoid sequences or repeated characters.
Strong passwords need to be augmented with strong practice:
- Do not use the same password on multiple sites.
- Never allow passwords to be written down or stored in the notes section of phones.
- Do not store passwords in Word or Excel. Even if those files are later deleted there will still be a recoverable imprint of it on the computer, long after it is sold or donated to a recycling company.
- Do not allow passwords to be emailed. Emails are able to be read by provider of the service.
- Do not feel the need to regularly change strong passwords. A very strong password that is used for a long time is more secure than a weaker password that is regularly changed for a similarly weak password. Enforcing regular changing of passwords can often result in employees adopting weaker passwords to make them easier to remember.
As hackers, and the tools available to them, become more sophisticated the number of website breaches will continue to grow. They are not one-offs and are only going to become more prevalent in the future. Ensuring your passwords are strong, not re-used across your company, and stored in encrypted form will put your and your business in the best position to mitigate the risk of these hacks affecting your organization.