Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!
Do I Need to Worry About the Latest Security Breach?
With the current situation, accounts used to access several different services are involved. Reports are that some (although not all) of those services are informing account holders that their accounts were compromised. Some have even reset account passwords, forcing users to change their passwords on next login, or go through account recovery steps to prove that they are the rightful account holders.
Services that do this are doing exactly the right thing, in my opinion. It’s a hassle for the account holders involved, but it’s significantly less of a hassle than having your account stolen away from you.
If you use one of those services, you’ll already know because they would have reached out to you.
Unfortunately, not all services are taking this approach. To be fair, not all services may even be able to determine exactly who has and has not been affected.
The magnitude of this breach
Two million seems like a very large number.
It’s not. Not really.
Especially when you consider that it’s across multiple providers. Google accounts that were compromised account for only 70,000, or perhaps less than one one-hundredth of a percent of what could be upwards of 800 million Google and Google-related accounts1. (Facebook apparently had the honors for most accounts affected in this breach: 318,000.)
So the chances of it being your account are actually pretty small.
Or is it? As it turns out, that depends on you.
Bypassing keyloggers
Whenever I talk about keyloggers, I get a number of comments asking about software that supposedly scrambles keystrokes or using an on-screen keyboard, the clipboard, or any number of alternative methods that supposedly render keyloggers unable to capture keystrokes.
I call bull.
Yes, simple keyloggers that log only keystrokes and do it in the simplest of ways can be thwarted by those techniques.
But malware is becoming more sophisticated all the time. Malicious logging code can be inserted just about anywhere and do just about anything. That means it can insert itself before or after the scramblers. It can capture screenshots of what you “typed” on your on-screen keyboard and it can easily capture the contents of the clipboard when you paste.
There is no reliable way to prevent a sufficiently sophisticated keylogger from logging keystrokes once it’s installed on your machine.
None.
How the breach happened
This particular incident was the result of a large distributed network of keyloggers.
In other words, machines were infected with malware that logged the keystrokes of whomever used the machine. If that machine was used to login to Gmail, Yahoo!, Facebook, or any other “interesting” online account, the malware would capture the login credentials (including the password typed in) and send it on to the central server controlling the botnet.
If your machine was infected, then yes, your accounts could have been part of the breach.
If you used an infected machine (such as that of a friend or a public computer that was infected), then yes, your accounts could have been part of the breach.
What you should do
If there’s any question in your mind at all, change your password.
In fact, whenever there’s a question about whether or not your account has been hacked, the safest thing to do is simply assume that it has been and act accordingly. Email Hacked? 7 Things You Need to Do NOW has a great action plan.
However, I also don’t see this particular scenario as a call to panic.
If you’ve been behaving safely on the internet, you’ve been keeping your machine secure and up-to-date, and you haven’t logged in to your accounts from unsecure locations or on machines that you don’t have complete control over, then I have a hard time saying you need to do anything. It’s just not likely that you’ve been affected.
At least not this time.
Next time? Well, about that…
Consider additional security
I use something called two-factor or multi-factor authentication for my Google and other accounts that support it.
When I login to Google from an untrusted machine (or after having cleared cookies on my home machine), I need to enter a code that is displayed on an app on my smartphone. It’s not enough to know the password. I have to prove that I have that smartphone – the “second factor” – in my possession before I can sign in.
Even if there were a keylogger installed on the machine, the information captured would be useless. The code changes randomly every 30 seconds in such as way that the next code can never be predicted. The hackers might have my login ID and password, but they still can’t login. Not without also having my phone in their possession (and even that is locked with yet another security code by default).
Two-factor authentication can be slightly cumbersome to set up, but it’s actually very easy to use. I strongly recommend that you at least consider it as an additional security measure for those services that offer it.
Video commentary
I also recently recorded this video commentary on the topic:
1: Google doesn’t publish a number; the number is always changing. Some light research (using Google) showed speculative numbers anywhere from 400 to 800 million. My guess? It’s probably a billion.
8 comments on “Do I Need to Worry About the Latest Security Breach?”
i don`t use any kind of mobile device and “nobody” ever uses my desktop computer tower. and i never use any other computer. so according to this article i`m safe. right?
Doesn’t a good password manager like LastPass prevent keyloggers getting your details? When I do have to occasionally type … I use osk.exe which is a small onscreen typewriter that you use the mouse instead of keys.
Mike – if you have keylogger that means your computer has been hacked. So instead of worrying about what keyloggers can and cannot do – it’s better to just keep your computer safe and malware free.
No. A sufficiently sophisticated keylogger could log a password manager’s action of entering the password for you. On screen keyboards are also no guarantee, since a keylogger could also be logging screen shots and mouse clicks. The bottom line: don’t let keyloggers on to your system. Like ANY malware, once they are in place, all bets are off.
Account security is 95% iellntigence and 5% technology.A good set of security tools is mandatory anymore for a secure system. From a virus/trojan horse protector. To just not letting people that you don’t trust use your system.One thing I would add to your list, is that many people get their passwords taken not from their system, but form their friends system. They log onto their buddies computer to “check their game mail” and then poof, the keylogger catches their password and their account is busted wide open.Undermine journal is a pretty good tool for knowing who is posting what, where it’s a feature to search the most popular posting on a server, it’s also dangerous information for those that want to see who to target.
An Adobe password (I’m guessing) of mine was compromised for an email address I no longer maintain. I didn’t receive notification. Of course, when I try to recover the account with “Forgot password,” they send the email to do that to an account I no longer have, but one that I’m told may have been re-issued to somebody else. It positively irritates me that some of these websites have no contact information that allows you to close an account in a case like this. It’s “identity theft waiting to happen.” I have a number of accounts with old email addresses and long since passe websites that I’d like to close, but simply can’t do that.
Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.
I want comments to be valuable for everyone, including those who come later and take the time to read.
i don`t use any kind of mobile device and “nobody” ever uses my desktop computer tower. and i never use any other computer. so according to this article i`m safe. right?
As Leo points out, in order to be safe, you also have to follow prudent surfing practices as laid out in the above link Internet Safety: How do I keep my computer safe on the internet?
thanks Mark, i also have WOT as a safety feature. any time i click on a link that`s not safe WOT warns me. its a good feature to have.
Doesn’t a good password manager like LastPass prevent keyloggers getting your details? When I do have to occasionally type … I use osk.exe which is a small onscreen typewriter that you use the mouse instead of keys.
Mike – if you have keylogger that means your computer has been hacked. So instead of worrying about what keyloggers can and cannot do – it’s better to just keep your computer safe and malware free.
No. A sufficiently sophisticated keylogger could log a password manager’s action of entering the password for you. On screen keyboards are also no guarantee, since a keylogger could also be logging screen shots and mouse clicks. The bottom line: don’t let keyloggers on to your system. Like ANY malware, once they are in place, all bets are off.
Account security is 95% iellntigence and 5% technology.A good set of security tools is mandatory anymore for a secure system. From a virus/trojan horse protector. To just not letting people that you don’t trust use your system.One thing I would add to your list, is that many people get their passwords taken not from their system, but form their friends system. They log onto their buddies computer to “check their game mail” and then poof, the keylogger catches their password and their account is busted wide open.Undermine journal is a pretty good tool for knowing who is posting what, where it’s a feature to search the most popular posting on a server, it’s also dangerous information for those that want to see who to target.
An Adobe password (I’m guessing) of mine was compromised for an email address I no longer maintain. I didn’t receive notification. Of course, when I try to recover the account with “Forgot password,” they send the email to do that to an account I no longer have, but one that I’m told may have been re-issued to somebody else. It positively irritates me that some of these websites have no contact information that allows you to close an account in a case like this. It’s “identity theft waiting to happen.” I have a number of accounts with old email addresses and long since passe websites that I’d like to close, but simply can’t do that.