This week it came to light that a 2012 hack of the business social network LinkedIn, originally thought to have compromised around 6 million accounts, actually affected over 106 million users.
The compromised account details, showing users' email addresses and passwords, were being sold online by Russian cybercriminals.
The original 6 million users compromised in the hack had their details posted online back in 2012. LinkedIn disabled these accounts as soon as they learnt of the hack - and urged all users to change their passwords.
This week, a further 100 million user accounts and passwords were posted online - apparently stemming from the same data breach.
If you haven't changed your LinkedIn password since 2012, you would have found yourself unable to access the service without first doing so.
People Still Need to Improve their Password Practices!
Many of the passwords posted online were face-palmingly obvious, like '123456789', 'LinkedIn', and 'password'.
"123456" was the most common occurrence in the password database, appearing over a million times.
"LinkedIn" was second most popular, with over 200,000 occurrences.
It should go without saying that using passwords like this is extremely bad practise!
It doesn't require hacking skills to gain access to your accounts if youchoose such simple passwords.
If You're Still Using Four Year Old Passwords, Change them Now!
Hopefully this makes it clear to see why it's important to regularly change passwords.
Users who had their account details compromised in 2012 but regularly change their passwords are safe. There is no risk to them of having old credentials posted online (unless they're still using these for other services.)
As well as using strong passwords, good policy to follow is to change your passwords every few months. Regularly changing passwords limits how long they are useful when they're in the wrong hands.
A key outcome from this however, is to not use the same passwords across different sites.
If your log in details got into the wrong hands, they might try signing into your email account using your LinkedIn password. If it's the same, they can see all of your private and work communications - and use your email account to reset your passwords for other services, including online banking.
How to Stay Safe
You'll be mostly protected if you do this:
- Use strong passwords made up of upper and lower case characters, numbers and symbols
- Change your passwords regularly
- Don't use the same passwords across sites and services
- Use two factor authentication wherever possible. This requires another form of verification for login such as a one-time access code, either eaech time you log in, or when it is the first time from a certain device.
Microsoft Bans Weak Passwords as a Result of Linkedin Leak
In the wake of this attack and what it reveals about user passwords, Microsoft has placed restrictions on what users are able to choose as a password.
This goes beyond the usual restrictions like "your password must contain a mixture of numbers, upper and lower case characters and symbols."
Microsoft are actually disallowing the weak passwords that pop up frequently, as in the LinkedIn hack, like '123456' or 'password'.
This is a positive move, as data like this will inform account hackers on what passwords to try, and Microsoft sees over 10 million accounts attacked each day.
It is now not possible to use words like this as passwords for Microsoft Accounts and Azure AD (active directory).
This will ensure businesses using Microsoft solutions are now more secure, as users and administrators will be forced to use more secure passwords.
Many IT Security Issues Are Caused by Users
Imagine if your employees are using passwords like 'password' or '123456' for their work accounts.
Doing so puts your business at risk to attackers.
It's not just passwords either. A lot of security breaches could be avoided if users/employees were better educated and more vigilant about following security best practices.
Check out our infographic to see how employees compromise your security.
Want to tighten up security?
Talk to us today for a no-obligation chat about how to tighten security in your business.