No matter where you get your news, you can’t avoid stories about the latest data breach. Banks, password managers, merchants, telcos, and virtually any other company can fail to protect sensitive user data. LastPass just got hit again, with hackers breaking into the personal computers of top engineers. Even the US Marshals are not immune. However, not all violations are the same, and how a violation affects you can vary widely.
We’re here to help you understand what a data breach is and provide some tips to protect your personal life from the worst.
What do data thieves want?
Imagine a criminal gang pushing an armored vehicle filled with safes for valuables. They seem to be making a lot of money, but in reality, they don’t know who owns each safe, they don’t know what’s inside, and they’re light-years away from figuring out the combinations. It’s a lot like what happens when data thieves get their hands on an encrypted data vault from a password manager or similar company. If implemented properly, such a vault can only be opened by the owner, with all decryption happening locally on the owner’s device.
Confronted with a mysterious safe or an unknown block of encrypted data, thieves are likely to move on to easier targets. But even a little bit of extra information can make security cracking easier. For example, in the recent LastPass breach, thieves obtained an unencrypted version of the password URL in your vault. This makes guessing your master password much easier, and of course, once thieves have a copy of your vault, they can spend any time Try to crack it.
What happens if your data is stolen in a breach?
In another breach, thieves can get hold of a company’s customer list in whole or in part. Whether they broke into the office and flipped a paper checklist, or hacked a database online, the result was the same. In the best case, they only get less private details such as your name, address, phone number and email. Granted, they can sell this information to data aggregators and brokers . They may have a list of your purchases and the broker is also interested.
It’s conceivable that stolen data could include your credit card number, but that’s not as big a deal as you might think. The long-standing Payment Card Industry Data Security Standard ( PCI-DSS ) protocol defines the security of credit card transactions in extreme detail, and it works in most cases as long as businesses follow the rules. You don’t have to pay fraudulent credit card fees anyway (at least in the US). Note that in many cases your credit card details are with a third party provider, not the merchant you paid with.
Online merchants and other websites are responsible for protecting your account details. Many do a good job of keeping all data encrypted and using zero-knowledge techniques, allowing them to verify your login password without knowing or storing that password. However, if a website stores your password in such an insecure manner that it is compromised, then you lose control of the account. Depending on the type of website, a hacker could place an order, make a bank transfer, send an email in your name, or even lock you out by changing your password.
How was the database hacked?
I asked an AI image creation program to draw “hackers accessing encrypted databases”. Unsurprisingly, all of the results depicted a hoodie-clad figure tapping out codes while examining an endless stream of cryptic characters. Hacking at this level does happen, but in real life, breaking into an account is probably a lot simpler.
The Norton Password Manager breach is a good example. The attackers did not breach Norton’s security, nor did they steal encrypted data. Instead, they use usernames and passwords stolen from others to initiate a process called credential stuffing. this is very simple. They simply used a script to try thousands of username and password combinations, carefully documenting the few that would give access to someone’s account. The latest PayPal breach also involved credential stuffing.
The group that stole encrypted data vaults from LastPass is still at large, and they can endlessly try to guess the master password that will open those vaults. It doesn’t take very long at all to try a hundred (or thousands) of the most common passwords per vault. long time. If the effort cracks even one of a hundred targets, the rogue is doing well.
Want to get into the safe? Just steal the combo. The latest bad news from LastPass reveals that a determined, dedicated hacker managed to plant keylogger malware on the personal computer of a senior engineer, one of only four with keys to extremely sensitive company data . Such targeted attacks are uncommon, but clearly effective.
What should I do after a data breach?
It’s easy to disguise the latest news as another boring data breach, but you really should be paying attention. Do you have an account or other connection with the compromised entity? How serious is the violation? Sometimes a news article will detail it, perhaps stating only that customer emails and physical addresses were exposed (whoa!) or that the breach involved specific financial information. In other stories, you’ll see far fewer details, either because the affected companies don’t yet know what’s missing, or because they don’t want to admit it.
One thing you can’t do is wait for the destroyed entity to let you know if you’re affected. Hacks like this are awkward and expensive. For legal reasons, victimized companies are very careful about what they disclose. In some cases, a good lawyer can turn a statement like “Sorry, we lost your data” into a class action . In this case, assume your data is included in the breach.
If you have an account with the compromised company, change your password. Now! It doesn’t matter whether you’re sure you’re exposed. Just do it. Don’t be part of the 1 in 6 Americans who act recklessly after a violation. Use a unique, strong password generated by a password manager.
Don’t stop there – search your password manager for any other sites you’ve used with compromised passwords, and fix those sites. This is a time-critical operation. Data thieves can’t access every stolen account at the same time, and by acting fast, you could be one step ahead of them.