Unfortunately, in the digital world we live in it is a must that we use usernames and passwords for everything. The downside of this is that it brings a greater risk every time you enter a set of credentials you are giving someone else the keys to your castle in some ways. I have touched on this before in previous posts but think it is very relevant given the recent breach of data.
In case you did not know, the popular app “MyFitnessPal” and website (which is owned by Under Armour) disclosed that in February their datastores were breached and 150 million user’s sensitive data was stolen. This data included usernames, passwords, and email addresses. According to Under Armour the password data which does make the task of getting the actual password text harder but not impossible.
The problem that I see with the reporting of this breach and the action that MyFitnessPal is taking to force users to change their passwords is that yes – you changed your password to their site, but what about all the other sites that you used the same username and password on? That is our problem – we reuse the same usernames and passwords for everything! We use our credentials for our email, our bank, and our fitness applications. That means that if one of any of these places loses your data you face a potential compromise elsewhere that could be much more sensitive.
Unfortunately, the “bad guys” don’t sit around thinking of different aspects of your life trying to figure out what your password is, although that does make for terrific television. Today’s hackers normally operate in this way: a group of shady jerks target vulnerable websites that you may use, but are not protected nearly as well as, say, Bank of America. (Think: Target, Home Depot, Anthem health care, MyFitnessPal) Sometimes, scoring access to a customer database is as easy as tricking a low-level employee with a fake email that looks real enough but is peppered with bad hyperlinks. Once a thief scores your information including email and password – usually acquired in bulk with other people – the first thing they do is try it on every account linked to your email.
Do you see the problem now? I cannot stress this point enough – DO NOT USE the same password for everything important in your life.
Are you worried now? I sure am. The first thing to do is to see if your data has been included in any of the more recent hacks. A website called “Have I been Pwned” gathers the email addresses that were compromised in these hacks and formulates a database. You can enter your email address to determine if it was compromised. This service is free and has an option to be alerted if your email shows up in future hacks. DO THIS.
The next thing you need to do is change your password – not just on the site that was compromised but on EVERY site that you used that same email and password combination on. That sounds like a lot of things to do and you don’t want to use the same password again, so I recommend using a password manager – there are many out there and there are varying opinions of them all. Personally, I use LastPass which allows me to store my passwords for all my sites and integrates to my browser allowing me to quickly access the site without having to remember a bunch of different passwords.
If you have the option to enable two factor authentication (2FA) do so at this time, this is one sure fire way to keep some jerk from logging in as you, unfortunately not all sites offer this option, so you are still stuck with the old username and password.
Now, the last thing to do is remember not to do this again or you will be doing the same procedure changing your passwords all over wondering when this will end – it won’t.
This trend will continue as there is no true way to stop thieves from stealing, and the most vulnerable part of all technology tends to be the humans who interface with it.