loader image

Have you been Hacked?!

Have you been HACKED?

In the News Today, from THE EPOCH TIMES …

773 Million Emails, 21 Million Passwords Leaked in ‘Largest Breach Ever’—Are You Affected?

A database that contained almost 773 million email accounts and more than 21 million unique passwords was recently leaked to an online hacking forum in a breach called “Collection #1” that has been called the “largest breach ever.”
Troy Hunt, who runs the hack-security website “Have I Been Pwned” first reported the breach on Jan.17. The website, a breach-notification service, lets people check whether their emails and passwords have been exposed, and from which websites the data was leaked from.

Hunt says the Collection #1 breach is the “single largest breach ever” to be reported by the Have I Been Pwned service. Wired.com reported that this is “the largest breach to become public.”

The breach involved 87 gigabytes of data including almost 2.7 billion rows of email addresses and passwords spanning at least 772,904,991 email accounts and 21,222,975 unique passwords. The data is allegedly a collection of more than 2,000 leaked databases.

“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows,” Hunt wrote. “It’s made up of many different individual data breaches from literally thousands of different sources.”

The date of the breach was reported as Jan. 7. The data was uploaded to the popular cloud service MEGA, which has since been taken down. The data was also being distributed on a popular public hacking forum.

“They weren’t even for sale; they were just available for anyone to take,” Wired.com noted.

Among the leaked data were passwords that have been “dehashed,” meaning that a security barrier which scrambles or “hashes” a password had been rendered ineffective, thereby making the password plain text and easily usable by a hacker.
“What I can say is that my own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “In short, if you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”

Hunt said that about 140 million emails and 10 million passwords in the Collection #1 breach are new to the website’s database, which means they had not been compromised in previous data breaches.
Have You Been Compromised?

Because the emails and passwords in Collection #1 had been made public, Hunt was able to upload them to the Have I Been Pwned database. That means you can find out if your emails or passwords have been affected.
To do so, head over to the Have I Been Pwned website. Enter your email address to see whether your email has been affected in the Collection #1 breach, as well as previous breaches. You can also check whether any of your passwords have been exposed by heading to the Passwords tab of the website.

How to Protect Yourself

You should change the passwords on any email accounts that have been leaked. Also, if the password entered had been seen, you should stop using that password and change it for the accounts you have been using it for.
Hunt said that the latest Collection #1 breach appears to be geared for use in “credential-stuffing attacks,” where hackers try different email and password combinations at a certain website or service via an automated process. This makes people who reuse passwords across different accounts on the internet especially vulnerable.

“Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts,” Hunt wrote. “People take lists like these that contain our email addresses and passwords, then they attempt to see where else they work.”

As such, going forward, you should not use the same passwords across multiple sites.
To protect yourself one big step further, you should use a password manager such as 1Password or LastPass, which helps to store a random and unique password for every new account/website you use.

Jake Moore, a cybersecurity expert at ESET UK, told The Guardian, “[The password managing applications] help you generate a completely random password for all of your different sites and apps.

“And if you’re questioning the security of a password manager, they are incredibly safer to use than reusing the same three passwords for all your sites.”

Wired.com also advises that you should enable app-based two-factor authentication on as many accounts as you can so that a password isn’t your “only line of defense” against hackers.

Why is Google forcing SSL certificates?

What is an SSL Certificate?

Have you ever noticed how sometimes websites start with “http://” and then sometimes they start with “https://” and have a green padlock nearby? If you have, you’ve seen the end result of an SSL certificate. But what you haven’t seen is what goes on behind the scenes.

SSL stands for Secure Sockets Layer. Essentially, SSL establishes an encrypted link between your web server and your visitor’s web browser. This ensures that all data passed between the two remains private and secure.

With an unsecured HTTP connection, third-parties can snoop on any traffic passing between your reader’s browser and your web server. Obviously, this is a huge issue if you’re passing sensitive information like credit card numbers.

But now, many entities, including Google, are pushing to use secure HTTPS connections for all traffic, even things you might think are plain and simple websites.

Why Do You Need an SSL Certificate?

In the past, the only time an average webmaster needed to care about SSL was eCommerce. But that all changed in late 2014 when Google announced SSL was going to be rolled out as a ranking factor.

That’s right, sites that use SSL certificates get a boost in the SERPs. It might not be a huge boost, but I think you’ll agree that any boost in search rankings is a good one.

But now Google is going even further. Starting back in January 2017, Google began to mark “HTTP pages that collect passwords or credit cards as non-secure.” That means your website page will be marked as non-secure if you’re not using HTTPS.

Today, in 2018, credit card or not, password or not, Google will mark your website as “not secure” if you fail to have an SSL certificate.

So, in addition to offering a benefit to your readers by securing their connection, you also have both a Google-provided motivator to use an SSL certificate for your WordPress site.

Some hosting companies offer the SSL certificate for free and others charge a yearly call. Contact Lois Reed Designs today if you want help securing your website with SSL.

Interested In Working With Lois Reed Designs?