Your Old Password Has Been Sold — So What?
Data breaches are a regular occurrence. When we hear reports about one that happened with a social media site, a company, or a product we use, we will quickly change our password to that account.
Reports like these: “Hacker Selling 65 Million Passwords from Tumblr Data Breach”, “Hacker Tries to Sell 427 Million Stolen MySpace Passwords”, “Hackers Selling 117 Million LinkedIn Passwords”, are all too common. So common that some might start to think, “Why should I care, those breaches happened years ago and I’ve already changed my passwords?” or “What use is there for my email address and an old password on the black market? Why should I be concerned if my old information reappears?”
Well, should you be concerned?
First let’s look at what happens after a breach. The hacker will take the stolen data, use it for their own purpose, and then either offer it to others in online black markets for money or post it online for all to see freely. Once sold the buyer will use the stolen data for various nefarious means.
What would they use it for?
When it comes to passwords, watch your online accounts because the attacker might try your stolen password on other sites you use. They’ll check to see if you used the same password on those sites or they might even try it on the same site that was breached, to see if you’ve changed your password.
In addition, the stolen passwords can be added to a hacker’s rainbow table to aid them in their efforts to attack other sites or network system’s password databases. For those that are unfamiliar with what “Rainbow Tables” are, TechTarget (http://whatis.techtarget.com/definition/rainbow-table) defines it as “a listing of all possible plaintext permutations of encrypted passwords specific to a given hash algorithm.” In simpler terms, they are vast databases that serve as a digital key for cracking encrypted passwords.
For an email address, watch your inbox. You might get an increase in spam or be targeted with spear phish. You probably will be hearing from relatives that need you to wire them money right away or you might even meet a Nigerian Prince.
When the information is stolen from healthcare providers such as names, birth dates, social security or government IDs and policy numbers, the criminals use these to buy equipment or drugs which they later resell or even to get procedures done. In addition, identity theft is a very lucrative business for the criminal.
Now you’re probably wondering what can be done, how can we protect ourselves?
Some simple measures that we can do to protect ourselves is to not reuse passwords at all. (I know it’s easier to remember passwords if you reuse them, but it’s really not a good practice) When you receive an email from the service you use, asking you to change your password, don’t ignore it, go to the site and change it. NEVER click the link in the email. If the bad guy has your password and they get into your account, whatever information that is in your account they will use in their future attacks.
If you’re going to take anything away from this, it should be this: don’t use the same password on multiple sites and never click a link in the email to reset your password, always go to the website and reset it there. That way if there is a breach and your old password and email is being passed around the black market you won’t be a victim again and you can go back to not worrying about those headlines about information being sold from past breaches.
Written By: Mike Hadnagy
Here’s How Hackers Make Millions Selling Your Stolen Passwords
The 411 on the Password Black Market
Here’s What Hackers Do With Your Data
Your medical record is worth more to hackers than your credit card
Nation Security Research Division
Big data breaches found at major email services – expert
Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800
427 Million Myspace Passwords leaked in major Security Breach
Hackers Are Selling Usernames & Passwords Of Over 37 Crore Twitter Users, Including These Celebrities
What Do Hackers Do With Stolen Passwords?