Getting Compromised

Home

Getting Compromised

Written by Dan Schaefer

An excellent article at TechCrunch breaks down the chronology of the recent security breach at Twitter. The article details how a hacker, who goes by the name of “Hacker Croll,” managed to break into an employee’s account at Twitter, and eventually compromise the security of the entire company. How did he do it? Well, you can read the article, but in general, he took advantage of the lazy habits of an employee at Twitter. Actually, these lazy habits probably cover 98% of the online population. The major sin in this particular case was simply that an employee used the same password for all his accounts, both personal and professional. Once the hacker was able to compromise the employee’s personal email account, he was able to branch out and compromise all other accounts.

Fortunately for Twitter, this particular hacker was not interested in exploiting his newfound information goldmine. He simply informed Twitter that they’d been hacked and that they should be more careful.

And fortunately for the rest of us, the hacker taught us how to guard against this type of attack. I’ve summarized steps you can take to help mitigate having your own accounts compromised in a similar manner.

Use a different password for every account you have. This may seem impractical in today’s world where we sign up for lots and lots of services. Remembering all those passwords can be cumbersome. So I suggest writing them down in two places. If one of your lists of passwords gets stolen, you have the other list to fall back on; in the case of theft, change all your passwords immediately.
Look behind you. If you use Gmail or most any other online email service, there’s usually a link you can click to see a log of your past activity. (It’s at the bottom of the page on Gmail.) You can immediately determine if someone else logged into your account and thus has access to all information in all your emails.
Use good passwords. By this, I mean use a combination of lower case letters, upper case letters and numbers. Maybe some punctuation thrown in for good measure. A8u-mP0e5, for example. Don’t use a keyboard pattern like qwertgfdsa, where you just hit adjacent keys on a keyboard.
Change your passwords every few months. Maybe a good reminder is to link changing your passwords to the resetting of your clock as you go between standard time and daylight saving time.
Eliminate accounts you are no longer using. If you have an old Hotmail account that you no longer use, then terminate it. But before doing so, peruse through your old emails on that account to make sure that none of your services are using it to communicate with you. For example, if your bank website is sending email to the Hotmail account that you want to shut down, then contact your bank and redirect them to a different email account.
Be on the lookout if a password no longer works. If suddenly a password stops working on one of your accounts, someone may have hijacked it.
Be careful when requesting a lost password. Let’s face it, sometimes you’ll lose a password and you’ll need to have it reset. Be aware that the password resetting process is a vulnerable time. As soon as you get a new password, log into the account and change it again. Then delete any emails that may be related to the resetting of the password.
Secret questions are hardly secret. Some online services will authenticate you when you’ve lost your password by asking a secret question, such as your mother’s maiden name. Any hacker that is serious about breaking into your account will already know your mother’s maiden name. If the online service insists on using a secret question, see if you can create your own question, and if so, make it a question whose answer is not at all obvious. Otherwise, see if you can eliminate the secret question altogether.
Be weary of any service that sends you a password in an email. Delete that email if it’s been sent to you on a web-based email service like Gmail or Hotmail.
Keep private information private. Putting corporate information in your private email messages only invites potential hackers to branch into your corporate account.