It’s getting so that it might be easier to publish a list of companies that haven’t been hacked. Sadly, this week it’s dot-com darling Kickstarter and Wall Street stalwart Forbes.com, both of whom were hacked and user data exposed. Where Forbes almost immediately acknowledged that it had been hacked (unavoidable as the infamous Syrian Electronic Army announced that it was behind the attack), Kickstarter got on the wrong side of some folks for delaying it’s own announcement that it had been breached earlier in the week. Waiting almost 5 days before sending out an email to its users was viewed by many pundits as everything from lacksadaisical to outright criminal. In both cases, user names, email addresses and passwords were stolen, though both companies state that the passwords were encrypted which would make it difficult, but not impossible for hackers to crack weaker passwords in the stolen data.
What this means for you:
If you had accounts on either of these websites using passwords that you use elsewhere, you need to go out and change that password everywhere else it was used – preferably with a unique one for each website. I had accounts on both of these websites, but I’m less worried as both were unique to the websites and will never be used again. Until the technology industry can come up with a better way than passwords to secure our safety, your next best bet is to generate unique passwords everytime one is needed. Utilities like LastPass, Passpack and 1Password are invaluable for this sort of practice and are worth their weight in gold.
It’s also worth noting that in the case of the Forbes hack, their security was compromised by a targeted phishing attack. By responding to fake emails, duped employees revealed passwords that gave the attackers access to the WordPress engine that powers the Forbes.com website. Kickstarter has yet to reveal the nature of their security breach, but I wouldn’t be surprised if a similar phishing attack cracked their security. Phishing emails are becoming increasingly harder to spot as cybercriminals pour more effort and money into crafting effective attacks. The only protection is to be suspicious of everything, and to never click links in emails before independently verifying where they actually lead.