Yahoo confirmed Thursday that more than 400,000 user e-mail addresses
and passwords have been compromised and posted online. The hackers
claim to be do-gooders, breaking into Yahoo to shine a light on its
potentially lax security.
Regardless of their intentions, the passwords are now online for
everyone to see. The strike comes just a month after millions of
passwords leaked onto the Internet. LinkedIn, the business-oriented
social network, confirmed that nearly 6.5 million user passwords had
wound up on websites frequented by criminal hackers. The same week,
dating site eHarmony and the Internet radio service Last.fm acknowledged
additional breaches that exposed the passwords of at least 1.5 million
users.
If you use any of these sites, change your passwords immediately.
This rapid-fire series of announcements raises the question: Why
would hackers target these sites? What could possibly be culled from
someone's online résumé and dating history?
A lot, says Marian Merritt, Internet-safety advocate for the computer
security company Symantec. People on LinkedIn share all kinds of
information about their career history – names, associations, and
department titles. Armed with details about someone's past, a hacker
might pose as a former co-worker or pretend to be that person in order
to scam people out of money.
"Oh, remember? We worked on this project back in '82," says Ms.
Merritt, playing the part of a hacker who's laying the groundwork for a
con. "I'm looking for X. Can you help me?"
This kind of scheme, called "spear phishing," requires a lot
of effort, but going after the right target can be very lucrative. "The
definition of a 'big fish' isn't necessarily the CEO of a corporation,"
says Merritt. "People often forget that churches manage money,
membership dues, and whatever fundraisers. They have millions of dollars
going through transactions, and it may be managed by somebody that
doesn't have good security training because they're a volunteer or
[work] part time."
Exposed passwords could also unlock other parts of a person's digital
life. At the moment, it's unclear whether the ill-gotten passwords came
with the corresponding usernames. Just in case, Gary Davis advises
people to change passwords not only on the breached networks, but also
on any website where they used the same login information.
"If I use the word 'password' as my password, and I use the e-mail
address 'normangdavis,' well they can try that [combination] at my bank
and see if that gets them in," says Mr. Davis, worldwide product
marketing lead for security firm McAfee.
Fed up with remembering different passwords? Symantec and McAfee
offer password managers. The paid services create unique logins for
every site you use. You memorize a single password for the service – the
software takes care of the rest.