A recent hack into Twitter’s servers caused them to send out emails to have users change their passwords. Unfortunately, they mistakenly prompted more users than were necessary. The popular micro-blogging service used email addresses and password combinations to determine which users were hacked. As of yet, there is no proof to which group of hackers stole the account information, but Anonymous and Chinese cybercriminals are at the top of the list.
Anonymous posted 28,000 email and password combinations online claiming that they could be used to access Paypal accounts. However, Paypal said there was no evidence of any tampering or account loss from their site. It ends up that they were taken from ZPanel, a hosting site. Because many people use a single login and password for all the sites they visit, it is possible that some of these combinations could access Paypal and other sites. Facebook, Google, Microsoft and other social media sites then cross referenced these combinations with their own accounts and sent emails to account holders warning them to change their passwords. Twitter went too far.
Image via CrunchBase
IT professionals in midsize companies need to educate their users on the importance of using unique passwords. Using the same information to log into multiple sites may be easier, but not secure.
Network World announced, “Twitter sent notices of an attempted hacking to China-based foreign journalists and analysts just hours before apologizing for resetting the passwords of more users than necessary in a recent break-in of accounts.” No information was given as to who the hackers were, but Chinese Internet users have had problems accessing foreign websites. It is well known that China is one of the top three countries specializing in distributed denial of service (DDoS) attacks.
The bottom line is it does not matter who the hackers are, but that the accounts were stolen. IT professionals may want to consider business-specific login names, and instructions on email usage and phishing attacks. If a message comes to a user that tells them to click on a link to change their password, they should instead log in to the site and change it there. The link in the email may look like the real thing, but have one letter out of place that leads the user to a phishing site.
Some of the more security-conscious IT professionals may want look at virtualization. A virtual bubble can safeguard the rest of the network from invalid email links, but is up to the user to create unique passwords for their personal lives.
