I have long made it a policy not to pay attention to news about data breaches. I’m starting to think that was a bad idea.
Well, it’s understandable. In the past five years, high-profile hacks and data breaches have gotten a lot more common. But lately the frequency has really ramped up. Data from old breaches has been resurfacing, new breaches have been occurring, and particularly there have been a number of political hacks related to the U.S. presidential race. At a certain point you probably just started tuning it out, but the general apprehension remains.
Can you catch me up on all the stuff I’ve been avoiding?
Yeah, let’s do it. In May, data from old breaches of LinkedIn, Tumblr, Myspace, and the dating service Fling resurfaced and wreaked havoc for users who hadn’t changed their passwords, or who had reused those old username/password combinations on other sites. Fling’s original breach was in 2011, LinkedIn’s occurred in 2012, and Tumblr’s happened in 2013. It’s not clear when the Myspace breach took place, but it was almost definitely before 2012. All that data came pouring back out and was being sold by the same hacker, known as Peace or peace_of_mind. Ars Technica estimated that the these four data troves together comprised 642 million passwords.
There was a lot of prominent fallout from these four data dumps. A credit monitoring firm wrongly reported that Dropbox had been hacked. And 32 million Twitter logins leaked online. Twitter firmly denied that it had been hacked and the data may have come from credential reuse or possibly from data-collecting browser malware. Additionally, hackers infiltrated some celebrity social media accounts—like Mark Zuckerberg’s Instagram, LinkedIn, Pinterest and Twitter—using credentials from the breaches. Keith Richards, Kylie Jenner, and Tenancious D were also hacked, among others.
Geez, that’s a lot.
Actually, I wasn’t done.
While all of that was going on, the poltical breaches were also gearing up. Throughout March and April the hacking collective Anonymous talked a big talk about attacking Donald Trump. It leaked some of his voicemails and eventually revealed his supposed social security number and cellphone number.
Last week the Democratic National Committee announced that its networks had been breached by two hacking groups. One lurked on the network for about a year to surveil communication like email, and the other infiltrated in the last few months and took the DNC’s file on Donald Trump. The DNC said it suspected that Russian hackers were behind the attacks.
Finally, on Tuesday, Bloomberg reported that the Bill, Hillary, and Chelsea Clinton Foundation was breached as part of the the same Russian hackers’ “dragnet of the U.S. political apparatus.” The Clinton Foundation said it didn’t know about the hack and wouldn’t comment, but Bloomberg claims that government investigators identified the intrusion in the last week or so.
So, are things permanently worse than they were before?
Well, who can say, but probably! One concerning aspect of the LinkedIn/Tumblr/Myspace/Fling situation was that it really highlighted how much we don’t know about what gets stolen during breaches. In 2012, hackers only (only!) released about 6.5 million LinkedIn passwords, and the company didn’t indicate that more had been stolen. Four years later more than 100 million other credentials popped up from the same breach. Not ideal. The series of breaches was also a reminder that even old data can be valuable. As security researcher Troy Hunt wrote in a blog post about the series of data dumps, “If this indeed is a trend, where does it end? What more is in store that we haven’t already seen?”
Since people are so inconsistent about using strong passwords, changing their passwords frequently, and using two-factor authentication when available, old data is still sought after on the black market. Even if someone has updated a lot of their passwords, hackers can still find valuable information like a credit card number in old accounts the person forgot about. Outdated credentials can also be used for phishing scams. For example, a hacker can try to make her con seem more legitimate by referring to old but accurate information about her targets.
Meanwhile, the political hacks say something about what it means to be controversial and/or part of power structures in the United States today. If politicians, celebrities, and other public figures weren’t worried about being hacked before, they should definitely be worried about it and changing their passwords now. Some have even added cybersecurity consultants to their entourages.
Is there any good news in all of this?
Actually, there is one thing! The cybersecurity firm FireEye published research Monday indicating that since 2014 China has been reducing its cyberattacks against the United States. This may be partly because so many of its initiatives have been exposed, and partly because the U.S. prepared possible trade sanctions against China in the weeks before Chinese President Xi Jinping visited the United States.
Of course, there is also bad news in the report. It concludes, “The landscape we confront today is far more complex and diverse, less dominated by Chinese activity, and increasingly populated by a range of other criminal and state actors.” Great. Also, maybe China is just taking a few years off now that it has a Facebook-like database of Americans.
I think I will probably go back to repressing all of this, because it’s too creepy. But first, is there anything I should be doing to protect myself?
Yes, good question. The common thread in the recent hacks that have affected consumers is definitely reused credentials and credentials that remain unchanged for years. If you’re going to keep your passwords forever, at least have a different one for every site. But ideally you would use strong, unique passwords that you also change periodically. Maybe you’ve heard this so often that you tune it out, too, but using a password manager is the easiest way to accomplish all of this. Setting it up definitely requires an up-front investment of time, but once you have it going it’s a very solid solution that doesn’t really take any more work than forgetting your passwords all the time and having to reset them. Enabling two-factor authentication whenever possible is the other easy step you can take to secure your accounts. Taking these steps won’t make you impervious to cybercrime, but it will help a lot.