Early last week I received a call from a friend who was worried about a scam email he received. Initially, I thought “what’s the big deal?”. How bad can a scam email be? Just mark it as spam, delete it and move on.
He went on to explain that the scam message informed him that they had access to his computer and information on it. They “proved” this by stating they had his password. And there, on the next line of the email, was a password that he had previously used. It wasn’t the current password to the computer, but it was a password that he once used.
No wonder he was worried.
How could a scammer get access to a real password he once used?!? Unfortunately, it’s pretty easy to do. My friend had been 'pwned' (pronounced 'owned').
While on the phone, I asked him to visit the website have i been pwned? This is a fantastic initiative developed by Troy Hunt, who with collaboration with CloudFlare have compiled pwned data across the internet and provided an easy to search tool to see if you’ve been exposed.
It the tool itself doesn’t reveal any further personal data and is constantly updated with new breaches.
At the time of writing, this database currently has:
312 pwned websites
5,421,711,825 pwned accounts
78.924 pastes (a paste is a publically available data dump of personal information)
86,224,073 paste accounts
517,238,891 exposed passwords
When he put in his email address, my friend discovered that he had in fact been pwned. His data had been exposed in a LinkedIn breach in 2012 and MySpace breach in 2008.
Both of these breaches exposed email and password.
We then checked to see if that password in the scammer’s email was in a breach. Once again, we used the have i been pwned? website but this time the password checker. Low and behold, that password was there. So our scammer has access to the breaches and is now trying to con people into departing with their hard earned.
So this experience gave us an idea. Why don’t we check all our clients to see if they’ve been pwned? We can iterate through all the user accounts on our support portal and connect to the have i been pwned? database to see if they’ve been exposed. We’ll run this service monthly to check to see if they are part of any new breaches, which unfortunately happens. From time to time, and more often than we would like, companies lose, or inadvertently expose our personal information. This includes names, email addresses, passwords, password hints, etc.
If we find a breach, then we can log a ticket on their behalf and help them action password changes if needed.
On October 1st we'll be adding a new service to help keep your business aware of data breaches. This coincides with National Cyber Security Month which will further highlight our need for better Cyber Security.
This service joins our other automated checks which we run for our clients:
Spam blacklist check - check to see if any of your websites or mail servers are on spam blacklists
Google Malware check - check to see if your website has been marked by Google as containing malware
But why is this such an issue? Well firstly, using passwords is fundamentally flawed. We need to move away from this, but in the meantime, it is part of our online security model. Secondly, this is such an issue because, to be frank, password management is very poorly handled. People choose poor passwords and reuse them again and again across multiple sites on the internet.
The issue can be illustrated with this scenario:
Your email account is secured and protected by the state of the art technology. No hacker has ever breached their walls and never will. However, you use the same password for your email for an online shopping site, that is not well protected and their systems are hacked. The hacker sells your details along with thousands or maybe even millions of others to the highest bidder. Sometimes, they'll just put them up on the web (or the dark web) for free. Now, your password and email address are exposed to thousands of nefarious types. They can now login to your email account with your own password.
Remember, this is only one of many scenarios.
So it's important to do a few things:
Choose a strong password for all of your services
Do not include any personal information or dates in your password
Never reuse your password
Enable two-factor authentication for any services that have this feature
Check to see if your details have been exposed in any previous pwned attempts.
To help with the above, we recommend the use of a password management vault. This will keep all your passwords secure and help you generate and use strong passwords. It can also keep the passwords you share across your business safe and secure as well.
Our tool of choice is LastPass which is a great tool for keeping your passwords and confidential information safe but shareable.
If you’d like to find out more about this service or how we can run it for your business, please get in touch.