Article by Mary Rose Maguire
Twitter is downplaying a security breach that exposed tens of thousands of user emails and passwords:
The leaked information, comprising 58,978 username and password combinations, appeared Monday on Pastebin. While Twitter said that it’s investigating the breach, it’s also downplayed the supposed size and severity of the data dump.
“We are currently looking into the situation,” said spokeswoman Rachel Bremer via email. “It’s worth noting that, so far, we’ve discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended, and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other).”
Whenever you read about such breaches, it is always a good idea to change your password, especially if you’ve not changed it for some time.
The compromised Twitter accounts could have been the result of phishing attacks. A phishing attack is when an attacker acquires personal information by duping the user into revealing it through manipulating their emotions.
Remember how one of your wiser friends told you it’s never a good idea to make a big decision while you’re overly-emotional? The same stands true for avoiding phishing attacks.
Here are some ways to stay safe:
Do not give out your financial information ever through an email appeal. I hope we all know now that you haven’t won the Nigerian lottery or that some prince or princess is willing to give you part of their inheritance if only you’ll keep their money in your bank account. Emails of this nature prey upon people who would love to “win” money or worse, may lose money in their account unless they give out their account information. Never give out your personal information. Instead, call your bank to verify that they need the information. You could also have some fun with the hackers like I did.
Don’t call any phone number or visit a website that is linked in the email. There’s a good chance it will connect you directly to the attacker. Look at the URL associated with the link. Does it contain words, letters, or numbers that seem odd? It’s likely an attempt to masquerade as an organization’s true website address, so don’t click it. You can see the URL by hovering over it or highlighting it with your mouse. Again, if you think it may be a legitimate request for information, verify it by contacting your financial institution directly.
Never fill out forms in an email that asks for personal information. Most organizations like PayPal notify their customers but do not ask for personal information to be placed into forms. Again, verify, verify, verify.
Regularly check your online banking accounts. Don’t allow months to go by before checking in. By frequently monitoring your account, you’ll be able to immediately see suspicious activity.
- Patch it! When that annoying “Software Updates Available Now” window pops up, don’t ignore it. (I’m talking mainly to myself, now.) Click to install. Patches fix vulnerabilities and many attackers will jump on the opportunity to hit an un-patched machine. If you’re in doubt about whether your browser system is up-to-date, check by clicking your browser’s info link or your system’s and click “Software Update” or “Check for updates.” (In Firefox, it’s in the “Tools” section.)
Finally, you can report phishing attacks to the following organizations:
- The Federal Trade Commission at email@example.com.
- Forward the email to the “abuse” email address to the company that is being spoofed (i.e. “abuse@XYZcompany.com” or “spam@XYZcompany.com”). Make sure to forward the complete email message with the original email header.
- Notify the Internet Fraud Complaint Center of the FBI by filing a complaint on their website: http://www.ic3.gov/default.aspx There is an excellent selection of tips on the FBI site to help you avoid fraud, so make sure to check it out.
The key to avoid becoming a victim is to stay alert, stay suspicious, and stay on top of changing your passwords.
Cross-posted from State of Security