Note: If you have a Hotmail, Gmail, Yahoo or AOL account, it’s advisable to change your password now!
Last week, about 10,000 Hotmail user accounts and passwords were posted on a developer’s forum. The accounts listed were the ones starting with the letters A and B hinting that this is just a snippet from a bigger list of accounts that have been compromised.
To further freak out webmail users, another list containing a cocktail of about 30,000 Gmail, Yahoo, and AOL user’s accounts was leaked later on during the week.
So how did they do it?
Apparently, people are still not able to tell the difference between an authentic website and a phishing website. Most of the compromised accounts on the list were obtained using fake websites that ask for your login and password to authenticate your account. While campaigns educating the user on how to better protect himself or herself from phishing scams have been running nonstop for the past 5 years, they can’t be blamed for falling for such scams.
One reason that phishing websites have been more successful in luring in victims lately is that nowadays, there are so many legitimate website that ask for the same things a phishing website would. Allow me to further expand on this point: in the past, only phishing websites would blatantly ask you to input your email account and password within their own website. Nowadays, and with single login features available on every website from Facebook to blogs, it has been a lot harder to figure out which websites are legitimate. Hell, the website could be absolutely legitimate but it has been comprised and is copying your login information.
So the lines have been blurred to such an extent that the previous notion of keeping your account information private is rationally impossible to adhere to.
So what can we learn from this attack?
First and foremost, people suck at selecting passwords! Bogdan Calin got his hand on the 10,000 user list and analyzed it. He found out that the most popular password is *drum roll* “123456″. Also in the top 10 were “1234567″, “123456789″ and “111111″. Furthermore, up to 42% of the passwords comprised of only small letters from a-z with only 6% combining letters and numbers in their passwords. Several others used their names or dates of birth for their passwords. The shortest password was one character long “(“.
Now honestly, at this day and age where any piece of information is readily available on social networks is it the brightest idea to use a first name as a password? And they wonder how Sarah Palin’s account got hacked!
Tips to protect your webmail accounts:
Tip 1: Use a stronger password !
It is understandable that a strong password is harder to memorize and might be forgotten if the account is not used regularly. That is fine, just come up with a strong password and write it on a piece of paper and place it in your wallet.
That is the best method to protect your password from being compromised electronically. The best password is a more than 6 characters long and combines both alphanumeric characters and special characters such as “$,%,# …etc”.
Tip 2: Don’t answer the security question truthfully.
Probably the answer to “What is your favorite book?” is available on your blog that you linked to from your Facebook profile. Given how hard it is to remember what has been said online and whether the answer to a security question has been compromised, the best method is just to select an answer that does not relate to the question directly. If they ask about the your favorite book, answer the question with the name of family member that you hate the most, that’s bound to be amusing, easy to remember, and hard to guess as “your favorite book”
Tip 3: Don’t use the same password for every account!
Again, it’s way too common for people to use the same password for their webmail and online banking accounts. So while your online banking website has higher security precautions than your webmail account, it will be just as easy to penetrate once your webmail account have both compromised.
Tip 4: Raise the security level.
Gmail is currently the only webmail service that allows you to encrypt not just your log-in information but your messages as well. The encryption of the messages will make it harder for hackers to capture your information when connecting through a public hotspot. This security feature is off by default on your Gmail account. To enable it click “settings” on the top right of your Gmail account, go to the General tab, and under “Browser connection” select “Always use https”.
Tip 5: Reset your password regularly.
While it might have been a bother to come up with a good password in the first place, it is not advisable to use it forever. It is recommended to change the passwords of your accounts at least once every 72 days.
If you are interested in learning more about how to better protect yourself from phishing attacks and password hackers, please subscribe to our RSS Feed and stay tuned for my next post.
Do you think your account was hacked? Did it change any of your security habits? Surf safely…
This post is sponsored by: “Protect your online communications with the best email security software.” ~ Websense Email Security