Tag Archives: LifeLock

Privacy Alert! Disqus data breach!

Some websites require you to have a Disqus account in order to comment.

Disqus is a worldwide blog comment hosting service for web sites and online communities that use a networked platform.

Last night, LifeLock issued an alert that Disqus.com has incurred a data breach.

If you have an account with Disqus, this means whatever data you’d entered at Disqus is compromised, including your email address and your password.

Below is the alert from LifeLock:

Description: The site disqus.com has been reported to possibly have suffered a data exposure that could include emails and passwords. The possible exposure would have happened in June 2012 although it was reported in February 2018.

Where Found: Dark Web, , a term used which may also include the deep web or a peer-to-peer file sharing network.

Password: Exposed online

LifeLock’s advice:

  1. Change the password associated with the affected website or email service immediately.
  2. Set up 2-factor authentication if available with that website/service.
  3. If you see a Social Security Number belonging to you, review credit reports for suspicious activity, watch financial transactions, and make sure LifeLock alert preferences settings are up to date for the account that belongs to you.

~Eowyn

Advertisements

Millions of LinkedIn passwords hacked and sold on black market

I’m a paid member of LifeLock. This afternoon, I received an email alert from LifeLock that “LifeLock detected a piece of your personal information” — my email address — “being sold online.”

privacy

The alert said my email address was found on “social media,” specifically the “potential impacted site” of http://www.linkedin.com — the website of LinkedIn, the social networking site for professionals and business people.

Fortunately, the personal data that was breached is one of my email addresses. LifeLock warns that “If your debit card, credit card, bank account numbers or PINs appear in this alert, change all accounts sharing the login name and password, and contact the corresponding financial institutions immediately. We recommend you use different logins and passwords for each account; this will minimize the scope of your potential risk.”

After freaking out for a few seconds, I got to work.

First, I went on the net to search for LinkedIn having been hacked. This is what I found.

Jose Pagliery reports for CNN Money that four years ago, in 2012, LinkedIn was hacked, resulting in, we were told, the theft of 6.5 million passwords.

Companies typically protect customer passwords by encrypting them. But LinkedIn was hacked because in 2012, the company had a rather lackadaisical security policy that eschewed adding a pivotal layer of security that would have made the encrypted jumbled text harder to decode.

The massive hack led computer security experts to wonder why it took so long for LinkedIn to figure out what happened to their own company computers, and to acknowledge it publicly. Brad Taylor, CEO of cybersecurity firm Proficio, asked: “If LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?”

It gets worse.

It turns out that the number of passwords stolen was way more than 6.5 million. In actuality, 117 million LinkedIn passwords were stolen by hackers.

Then it gets really really bad.

According to the tech news site Motherboard, on May 18, 2016, LinkedIn acknowledged that a massive batch of login credentials is being sold by hackers on an online black market called “The Real Deal”.

Worst still is this: Since we tend to reuse our passwords, the hackers who have the 117 million LinkedIn passwords are more likely to gain access to those 117 million people’s email and bank accounts as well.

Put on the defensive, LinkedIn’s chief information security officer Cory Scott said, “We take the safety and security of our members’ accounts seriously,” blah blah blah. The company is now scrambling to try to stop people from sharing the stolen goods online — often an impractical task — as well as invalidating all customer passwords that haven’t been updated since they were stolen 4 years ago.

LinkedIn also said it’s reaching out to individual members affected by the breach, but I’ve received no notification from LinkedIn. If it wasn’t for LifeLock, I would not know that my email address was hacked and is being sold on the black market.

If you are a member of LinkedIn, you should:

  1. Change your password.
  2. Add two-factor authentication, which requires a text message every time you sign in from a new computer.
  3. Here’s my advice: If you use your LinkedIn password on other accounts, change those passwords as well, especially for bank and other financial accounts, such as PayPal. I spent several hours this afternoon doing just that. I also closed my LinkedIn account.

~Eowyn

T-Mobile data breach alert!

I have a membership in LifeLock.

Just received this notification from LifeLock about a massive data breach of T-Mobile:

T-Mobile data breach

What You Should Do:

  • If you do not conduct business with T-Mobile, no further action is necessary.
  • If you have done business with T-Mobile, please click here for more information.

~Éowyn