In 2016, Internet stalwarts Yahoo discovered a data breach from 2013 where the account details of potentially all THREE BILLION customers had been compromised. This was discovered whilst they were investigating the compromise of  500 MILLION accounts from a 2014 breach.

The information stolen included:

• Logon Name
• E-Mail address
• Password
• Date of Birth
• Gender.

As we approach the festive period and the January Sales, the number of e-mails we all receive is going to increase and it’s important that we are vigilant and careful about which e-mails we interact with.

Most people will look at the Yahoo breaches and ask “So what? No financial data was taken so I’m safe”. This is where complacency kicks in and we become less worried about these breaches. However, more and more data breaches now don’t go directly after financial data – these modern breaches are more interested in getting your e-mail details and passwords.

But why ????
There are currently over 200 Social Media websites in general use. We now use e-mail to communicate with our banks, mortgage company, council, utility services, retailers as well as friends & family. We use the Internet to shop (especially at this time of year), to send money and listen to music.

Most of us will have an on-line presence which requires us to logon with a name and password.

The average person has 25 systems that require a logon credentials
On average 4 of those systems will have the same logon name and password.
In fact, as we are required to remember more passwords the number of times we re-use our memorable password increases. 

This is where the problems start.

• The bad guys obtain your logon names and password from a security breach (or buy the list from a 3rd party)
• They try those credentials across the 200+ Social Media sites, the Webmail systems, Online stores etc etc to see which ones give access
• They Monitor the sites they have gained access to, to monitor your activity. E-Mail accounts are the golden egg, as they allow the bad guys to see who you interact with. They also have the ability to reset passwords for your systems as the password reset e-mails will go to the mailbox they have access to.
  If they do this overnight you will not see the activity. They don’t have to lock you out of the systems, just watch what you do.
• As they know who you interact with and what you have been doing, they can now construct a Phishing e-mail using live information and trick you into revealing your payment/banking details, or websites that look like companies you interact with and get you to logon to these so they can harvest your logon credentials and banking details.
• The above doesn’t happen straight away, it can happen over a year or longer so as to not cause suspicion.

If you were a Facebook, TalkTalk, Tesco, 3Mobile, Deliveroo, Dropbox, LinkedIn or Yahoo user you may have thought about resetting your password, to stop any further access to your account. But what about the other systems you use on-line that are using those same credentials ? Have you changed those.

So, what should we do.
First, ensure you have a secure password. A password that starts with Password or your name or have you date of birth is not secure. A password that is a standard word, even if you do replace letters with numbers, isn’t secure.

Don’t re-use passwords. One ultra-secure one won’t be any good if someone finds it

The best way to protect yourself is to use two-factor authentication, which will send a text with a code or use an app to verify your log-in. This can easily be setup for any social media accounts you use.

Looking at recent data breaches, the 25 most common passwords being used by people are…
123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball
welcome
1234567890
abc123
111111
1qaz2wsx
dragon
master
monkey
letmein
login
princess
qwertyuiop
solo
passw0rd
starwars

If you receive an e-mail with a weblink or attachment that you weren’t expecting DON’T click the link of open the attachment.

The same is true if you receive an e-mail from you bank or a company you interact with. Check the e-mail address the e-mail has come from, and hover your mouse over any weblinks to see where the link is really going to take you to.

It is better to be safe than sorry, not only at this time of year, but throughout the year !