Been pwned?

By Terry Bradley May 24, 2016

There’s an unfounded belief in the cybersecurity industry that if you’re a true cybersecurity expert, you’d never get hacked. Sadly, this couldn’t be further from the truth. As any seasoned security veteran can tell you, the Internet is full of risks…if you use it very much at all, you’re going to take some hits from time to time. Security incidents from come from many different angles. Often you can protect your information by taking proper security precautions (my job as a cybersecurity consultant is based upon this premise). Sometimes, however, a 3rd party (who is outside of your control) gets hacked and your data, your personal information, and maybe even your password get compromised. You just got pwned.

Last night, while sitting on the couch watching the evening news, I got an email from haveibeenpwned.com. This site allows you to 1) check to see if your email address has been named in any big data breaches and 2) sign-up for future notifications to let you know if your email address shows up in any newly discovered data breaches. Here’s the email I got last night:

What?! My LinkedIn account was vulnerable?! A little closer reading revealed that the security incident in question actually took place back in 2012, but the specific email accounts involved were not publicly available until now. Fortunately, I’ve changed my password a couple times since the initial breach happened. Nevertheless, I opened my password safe last night and created a new password for my LinkedIn account, just because I could.

This brings me to a few points I’d like to make:

  1. Don’t re-use passwords. I know you’ve heard this many times, but security incidents like this one illustrate why it matters. Armed with my email address and LinkedIn password, hackers could have been accessing any of my other accounts that used that same email address (as a user name) and password. Chances are, I would have had no indication this was happening. So, don’t use the same password for LinkedIn or Papajohns.com that you use for another account (say your bank or retirement account).
  2. Password safes are awesome. Using a password safe (for instance, Password Safe, found here: https://pwsafe.org/) has many benefits. For one, it makes it very easy to remember a multitude of passwords when you’ve decided to stop using the same password for everything… Another benefit of using a program like Password Safe is that you can search your password safe by password. Armed with the knowledge that my LinkedIn account had been compromised, I was able to quickly search my password safe program to see whether I had used that password (or something like it) anywhere else. This not only helped me gauge my exposure from the LinkedIn compromise, but served as a roadmap of all the places that I needed to go and change passwords (complete with the URLs for the sites and security challenge questions in the notes section of the password safe entry).
  3. What you don’t know can hurt you. There are many data breaches every year and most of them are not discovered until long after the event. Subscribing to services like haveibeenpwned.com and performing Internet recon for your email address (or company’s email addresses) is an important practice. Whenever PLEX Solutions performs a penetration test or external security assessment for a client, we check to see if our clients’ email addresses (and passwords) have been exposed in past data breaches. If you’re not doing this on a regular basis, you could be missing some important threat information that could impact your organization and bypass otherwise strong network security protections.

If you’d like to subscribe to email alerts notifying you that your email account has been involved in a data breach from haveibeenpwned.com, you can sign-up here:

https://haveibeenpwned.com/NotifyMe