I just heard about a security breach that has exposed something like a couple of million accounts across several servers.
I have accounts on those services. How concerned should I be? Have I been hacked? What do I need to do next?
That's a composite of several questions that I've received relating to a recent theft of something like two million user accounts and passwords.
I'll address this specific incident, but I also want to discuss some things to consider with any large scale account theft.
Become a Patron of Ask Leo! and go ad-free!
Has my account been compromised?
With the current situation, accounts used to access several different services are involved. Reports are that some (although not all) of those services are informing account holders that their accounts were compromised. Some have even reset account passwords, forcing users to change their passwords on next login, or go through account recovery steps to prove that they are the rightful account holders.
Services that do this are doing exactly the right thing, in my opinion. It's a hassle for the account holders involved, but it's significantly less of a hassle than having your account stolen away from you.
If you use one of those services, you'll already know because they would have reached out to you.
Unfortunately, not all services are taking this approach. To be fair, not all services may even be able to determine exactly who has and has not been affected.
The magnitude of this breach
Two million seems like a very large number.
It's not. Not really.
Especially when you consider that it's across multiple providers. Google accounts that were compromised account for only 70,000, or perhaps less than one one-hundredth of a percent of what could be upwards of 800 million Google and Google-related accounts1. (Facebook apparently had the honors for most accounts affected in this breach: 318,000.)
So the chances of it being your account are actually pretty small.
Or is it? As it turns out, that depends on you.
How the breach happened
This particular incident was the result of a large distributed network of keyloggers.
In other words, machines were infected with malware that logged the keystrokes of whomever used the machine. If that machine was used to login to Gmail, Yahoo!, Facebook, or any other "interesting" online account, the malware would capture the login credentials (including the password typed in) and send it on to the central server controlling the botnet.
If your machine was infected, then yes, your accounts could have been part of the breach.
If you used an infected machine (such as that of a friend or a public computer that was infected), then yes, your accounts could have been part of the breach.
What you should do
If there's any question in your mind at all, change your password.
In fact, whenever there's a question about whether or not your account has been hacked, the safest thing to do is simply assume that it has been and act accordingly. Email Hacked? 7 Things You Need to Do NOW has a great action plan.
However, I also don't see this particular scenario as a call to panic.
If you've been behaving safely on the internet, you've been keeping your machine secure and up-to-date, and you haven't logged in to your accounts from unsecure locations or on machines that you don't have complete control over, then I have a hard time saying you need to do anything. It's just not likely that you've been affected.
At least not this time.
Next time? Well, about that...
Consider additional security
I use something called two-factor or multi-factor authentication for my Google and other accounts that support it.
When I login to Google from an untrusted machine (or after having cleared cookies on my home machine), I need to enter a code that is displayed on an app on my smartphone. It's not enough to know the password. I have to prove that I have that smartphone - the "second factor" - in my possession before I can sign in.
Even if there were a keylogger installed on the machine, the information captured would be useless. The code changes randomly every 30 seconds in such as way that the next code can never be predicted. The hackers might have my login ID and password, but they still can't login. Not without also having my phone in their possession (and even that is locked with yet another security code by default).
Two-factor authentication can be slightly cumbersome to set up, but it's actually very easy to use. I strongly recommend that you at least consider it as an additional security measure for those services that offer it.
Video commentary
I also recently recorded this video commentary on the topic:
i don`t use any kind of mobile device and “nobody” ever uses my desktop computer tower. and i never use any other computer. so according to this article i`m safe. right?
As Leo points out, in order to be safe, you also have to follow prudent surfing practices as laid out in the above link Internet Safety: How do I keep my computer safe on the internet?
thanks Mark, i also have WOT as a safety feature. any time i click on a link that`s not safe WOT warns me. its a good feature to have.
Doesn’t a good password manager like LastPass prevent keyloggers getting your details? When I do have to occasionally type … I use osk.exe which is a small onscreen typewriter that you use the mouse instead of keys.
Mike – if you have keylogger that means your computer has been hacked. So instead of worrying about what keyloggers can and cannot do – it’s better to just keep your computer safe and malware free.
No. A sufficiently sophisticated keylogger could log a password manager’s action of entering the password for you. On screen keyboards are also no guarantee, since a keylogger could also be logging screen shots and mouse clicks. The bottom line: don’t let keyloggers on to your system. Like ANY malware, once they are in place, all bets are off.
Account security is 95% iellntigence and 5% technology.A good set of security tools is mandatory anymore for a secure system. From a virus/trojan horse protector. To just not letting people that you don’t trust use your system.One thing I would add to your list, is that many people get their passwords taken not from their system, but form their friends system. They log onto their buddies computer to “check their game mail” and then poof, the keylogger catches their password and their account is busted wide open.Undermine journal is a pretty good tool for knowing who is posting what, where it’s a feature to search the most popular posting on a server, it’s also dangerous information for those that want to see who to target.
An Adobe password (I’m guessing) of mine was compromised for an email address I no longer maintain. I didn’t receive notification. Of course, when I try to recover the account with “Forgot password,” they send the email to do that to an account I no longer have, but one that I’m told may have been re-issued to somebody else. It positively irritates me that some of these websites have no contact information that allows you to close an account in a case like this. It’s “identity theft waiting to happen.” I have a number of accounts with old email addresses and long since passe websites that I’d like to close, but simply can’t do that.