Counting on the 30% to 40% of Internet users who use the same password on multiple websites and other unsuspecting victims, hackers breached 2 million accounts on Facebook, Twitter, Google (which includes Gmail, Google+ and Youtube), Yahoo, LinkedIn, payroll processor ADP and other sites. And it wasn’t user photos they were after.
Reports of the Pony botnet controller – a keylogger that infected thousands of computers – have spread like wildfire this week after 2 million accounts were compromised. This means Facebook, Twitter, and the like didn’t leak their users’ account info – the keylogger stole login information from the users themselves, collecting every keystroke typed into their keyboards when they logged in to their accounts.
Simple, Easily Guessed Passwords Used on Multiple Accounts
A widespread problem that has gained attention in the aftermath of this large-scale information “heist” is the unfortunate fact that many people – 30% to 40% of Internet users – use the same password on multiple accounts.
Using the same password on social networks and financial services websites is a dangerous combination. Hemu Nigam, the founder of online security company SSP Blue, spoke to FoxNews.com:
“‘The most important thing is to have a different password for every site that you are registered to,’ former chief security officer for MySpace.com Hemu Nigam told FoxNews.com.
‘In the real world, we have a different key for your house, bank, gym locker and car so that if a thief breaks into one of those, they can’t break into everything. The same should be true for the online world.’”
Many of the stolen passwords were so simple that they made the information breach even easier. NBC News reports:
“Whether or not the passwords are current or out-dated is unknown, but the attack appears to be “fairly global,” SpiderLabs reports. “At least some of the victims are scattered all over the world.” What’s more, many of the passwords were fairly simple, with that old chestnut “123456″ topping the list as the password for 15,820 accounts. (“12346789″ came in at number two with 4,875 instances.) This could mean extra bad things the 30 to 40 percent of Internet users who use the same password on multiple accounts — say Facebook … and their bank account.”
Many of the breached services – including Facebook, Twitter, Google, Yahoo and LinkedIn – have initiated or are working on an automatic password reset for the affected accounts. But even if you haven’t been notified that your account was compromised, it’s never a bad day to change your password. However, if your computer is infected, no password change is going to protect you until you eliminate the keylogger. And most won’t know if they are infected, as this type of malware doesn’t “present” itself to the naked eye.
The Long-Term Threat Lurking at Your Fingertips
No one knows how old the stolen passwords were, which also means users don’t know how long their systems have been infected with the information-collecting spyware. The breach could have occurred a long time ago and the hackers could have been waiting months to use the data taken from unsuspecting victims.
Nigam explains: “‘The other thing that everyone needs to worry about is sometimes hackers will obtain compromised account and then not do anything with them until 3 to 4 months later. So it’s something to keep our guard up.’”
Most hackers don’t care about your embarrassing photos and comments. Relying on our tendency to use names and birthdays of friends, family and pets as passwords, social networking sites are a means to an end to these criminals; their goal is to access information that can lead to unlocking users’ and their friends’ bank accounts.
“‘Most of the time when people [hack into accounts], the goal is to do fishing on other account information,’ Nigam said. ‘There is very little interest in looking at your pictures. It’s about at looking at your account as a jumping point to get to your friends’ accounts.’”
According to a 2013 report by Javelin Strategy & Research, this type of malware was responsible for $4.9 billion stolen from consumers in 2012.
Antivirus protection is only part of the solution.
“‘Unfortunately, there’s no way to completely protect yourself against breaches that happen in this way,’ senior vice president of Equifax Personal Solutions Scott Mitic said in a press release. ‘Having anti-virus and anti-spyware on your computer can be helpful, but they’re far from 100 percent effective.’“
It’s true. Most antivirus software don’t protect against this very threat. If you’ve ever been attacked by malware even though you thought you were covered, you know this threat is very real.
This All Could Have Been Avoided
While we should all monitor our bank accounts and keep complicated, unique passwords for every website we log into, the easiest way to avoid this threat altogether is to use an antilogger that provides multi-level protection, like Raxco Software’s PerfectGuard does, to ensure that if one of your security measures fails, you have multiple layers of protection to fall back on.
While PerfectGuard protects your keyboard from data-stealing keyloggers, it also protects:
- your webcam from being hacked, so that criminals can’t watch you without your knowledge, like one did to Miss Teen USA and the predator serving 6 years in prison for spying on over 200 women;
- it blocks screenloggers from viewing your monitor’s screen when you’re logging into websites or viewing confidential information like your tax return, credit information or personal photos;
- it blocks clipboard loggers from recording everything you copy and paste (like passwords and credit card information);
- and it even blocks the widely unknown threat of SSL loggers – malware designed to steal your login information on seemingly secure sites before your information is encrypted by the SSL.
PerfectGuard quietly provides multi-layered preventative protection to patch the vulnerabilities left open by your antivirus software. PerfectGuard is proven to work, and it’ll detect and quarantine any logger malware already on your system when you download a 15-day free trial.
After running PerfectGuard, change your passwords and use these tips to protect your passwords on public & private computers.