Just a heads up to all the parents out there: an online game for kids known as “Webkinz” was hacked earlier this month and almost 23 million user accounts were compromised. A hacker then leaked a 1GB file containing the usernames and passwords of these accounts. While this is unlikely to affect your business security, any security breach is one worth a few moments of research to ensure you’re not impacted by it. Sure, it’s just a children’s game, but what information can hackers take from the hacked accounts?
Well, if the email address and password combo used by your kid(s) happens to be a commonly used set of security credentials, all relatable accounts are now at extreme risk of being hacked too. Let’s say your child is using a free Gmail account to manage their email, and they signed up to this online game with the same password as they use for their Gmail account. Now the hacker can log in to the Gmail account. How much information is in your child’s email account?
And this extends beyond just static info in an email account, what about other websites the email account is bound to? Same Gmail account used for Facebook? Let’s hope the password isn’t the same as the Webkinz was else hackers are in your child’s Facebook account too. But let’s throw a small spanner in the works, let’s say the password is different. Well, Facebook and many other sites have the “forgot my password” feature which often relies solely on a reset password link being sent out to an email account, but wait? The hacker has access to their email account. Uh-oh, the hacker can get in even though the password was different because they’ve issued and followed through with a “forgot my password” link.
Now we just hope that you’ve never sent them any of your login information for your web logins via any platform’s hackers may have access to, as hackers have tools that can very quickly scan for data in the format of usernames and passwords.
The best advice we can give to keep on top of these kinds of breaches, as it’s no longer a case of if, but instead when, is to ensure the following:
- Keep passwords different across websites. Use Password Management tools like Dashlane, Roboform, Keeper, etc. to assist with the creation and tracking of complex passwords. They’ll need you to create one strong memorable password to gain access to the password management platform, and after that, the program will manage everything else for you, it’ll even offer to autofill logins and web forms for you if you configure it to.
- Change passwords regularly. It’s a pain in the rear end to keep changing passwords and we’re only human, we all forget them. But the longer you leave passwords unchanged the more likely they’ll be exposed by some form of a large-scale data breach. As mentioned above, password management apps can help lessen the burden of changing all these passwords, some (Keeper) will even present reports on commonly used passwords across your used credentials then offer to change them.
- Use Multi-Factor Authentication (MFA). Duo, Google Authenticator, Microsoft Authenticator, Authy, the list goes on and some entertainment companies go so far as to create their own bespoke authentication apps (Blizzard, Steam, etc) are the second layer of protection that we highly advise you consider investing some time into configuring and using. If a password is hacked/cracked/leaked, hackers will still be locked out as they’ll need a 6-digit code (that changes every 30 seconds) from your MFA app to get in. Some even offer Push Notifications that you can just accept from your mobile phone’s lock screen making login even faster regardless of the extra security.
- Ease off on account sharing – Avoid giving your credentials out to others, no matter how much you trust them. For all you know they could have spyware/malware on their devices siphoning data including your login info. Keep it under control, don’t share the credentials.