Data Breach?

Posted by: @daveb722

I was reviewing my google saved passwords and it identifies compromised passwords and they show this site as having a data breach, anyone aware of this?

It wouldn't surprise me. But it doesn't worry me either.

I don't use the UN and PW here anywhere else. But, I do use a password manager and all my important passwords are no less than 20 characters unless the site limits them to less. Also, I use two factor authentication wherever possible which is a great safety feature.

I've actually never once been hacked.

@vicanuck agreed, just wanted to see if google was correct as I had 4-5 sites appear in one day and wonder if they are somehow related.  

Posted by: @daveb722

I was reviewing my google saved passwords and it identifies compromised passwords and they show this site as having a data breach, anyone aware of this?

Please elaborate how you store passwords with google? Do you mean your browser?

@STTsailor yes through my browser (chrome), i turn on autofill and it remembers them for me.  google then checks the sites i have daily, although it doesn't give you an alert, you have to manually check (i can't find a setting that sends you alerts unfortunately, but i found an extension today that will let me know, passprotect) and see how that works out. 

Hacking is a growth industry now that so many people are living and working virtually.  Our company does it’s payroll using ADP and I was informed by them this last week that an unemployment claim was attempted in my name, apparently this is fairly common but nevertheless alarming as the hacker needed a good deal of personal information to attempt the claim.  One of the first things I did was to open an account with Life Lock, which includes a suite of security software as well as the monitoring services.  I increasingly convinced we all need to take active steps to protect ourselves and families from cyber/hacker attacks. 

@jaldeborgh

To start, use a password manager like 1password. Also, use a different password for each bank and other accounts you have. 

I work in IT Security and the compromised passwords feature doesn't necessarily mean that that specific site was hacked, it just most likely means that the password you used for it or your email showed up on a black market list of passwords or emails somewhere and you need to change it. Google stores and remembers passwords for your sites and it compares them to those lists and if it gets a hit then it will let you know in that feature. 

Large lists of emails and passwords are sold on the black market daily and companies like Google and Apple actually use those lists to help protect their consumer data. You can go buy lists of stolen emails and password on the black market thru the TOR browser and sadly enough, they're not very expensive. 

If you are interested in IT Security, hacking, phishing , threat, etc... I would check out Brian Krebs website:  https://krebsonsecurity.com/   He's considered a leader in the field and several well known hackers try to shut his site down daily just for the notoriety. I've learned some really cool stuff from his site including how to scan gas pumps, ATMs and anything with a card reader for skimmers by using an app on my phone so my card info won't get stolen. 

If you want to check your email accounts and passwords to see if they have been compromised in a data breach somewhere, go here: https://haveibeenpwned.com/  

It's free and it's safe. 

Think you have a sketchy link and you're afraid to click on it? Copy and paste it (without clicking on it) in the URL finder here: https://www.virustotal.com/gui/home/url

Virus Total isn't perfect- but it can be a little helpful and it's free. 

I also use the free version of Malwarebytes. After the two week free trial just uninstall and reinstall when you want to run a free scan again.  We do this at work and on my home PC. 

Last but not least- never input your credentials into a page if you were redirected there by a link via email or a website. Always go to the sites independently by typing the site into the address bar in the browser. Hackers have perfected the login screens for everything even down to the "secure" company logos in the bottom right or left hand corner of the login page that you trust. 

Sorry for the diatribe but I kinda love sharing what I do, so I hope it was helpful! 🙂 

Posted by: @40isthebetter20

Sorry for the diatribe but I kinda love sharing what I do, so I hope it was helpful!  

I'm curious about your thoughts on services like Life Lock, which I think is now owned by Norton/Symantec.

@jaldeborgh 

It's okay. It's def not foolproof but I think it's better than not having any protection at all- especially if you don't know how or don't want to protect yourself on your own. 

Some of the biggest ways that you can keep yourself safe is to:

-Put multifactor authentication (MFA) in front of everything. It's a pain in the ass sometimes but it works. Someone the other day kept trying to buy something on my account but they didn't get the auth code sent to them so it didn't work. The auth code came to me and alerted me so I could change my password. 

-Freeze your credit if you're not making a large purchase anytime soon and freeze the credit of any minors in your home. You'll still be able to use your credit card and all that but it will keep anyone from opening new lines of credit for credit cards or making big purchases in your name that need to be financed. You can unfreeze your credit anytime and it only takes a day or two (or less) to complete the process. Freezing your kiddos credit will help keep their identity from being stolen and starting off their financial lives with any black marks. You or they can unfreeze it when they're 18. 

This is kinda a pain in the sense that you will have to freeze it with all three credit agencies, however I'm sure it's less of a hassle then actually having your identity stolen. I've heard that is so invasive and terrible to go thru. 

Brian Krebs has an article on his site that tells you all about how to do it and he even has the links to the sites you need, I believe. 

If you can freeze your credit and use MFA on all the things- then you really don't need lifelock. 

Just a fun fact- the guy who started Lifelock paraded his social security number around on the side of truck all over NY or wherever he was and put it on his commercials. His identity was in fact- stolen- all because of that. Hahaha! Hackers are the most brilliant people on the planet. If they want it- they'll get it. 

So- I don't know if this applies there in the USVI, but here in the states we have Informed Delivery through the US Postal service. You get an email and can go visit the site to see what's coming to your house or PO BOX on the daily thru the mail.

Everyone (or you as everyone) needs to sign up for that in your house. Even your kids. Why? Well terrible people will sign up for it at your house as you under their email address (there's no way for the USPS to verify or check an email address to see if it's valid) so they get informed about what's coming to your home. 

If they want that Chase or AmEx pre-approved credit card application, or your bank card that just got delivered, or that package on your doorstep... then it's theirs. 

I think lifelock is kind of expensive, but it just depends on how involved you want to get in your own protection. Nothing is perfect or foolproof- like I said- if they want it they'll find a way to get it. 

Last bit of advice- use an easy to remember sentence and numbers and characters for your passwords. Here's a chart to tell you how fast you can be hacked. 🙂 

Thanks for your very comprehensive answer to my question.  I do use MFA on some things but not everything.  I use face recognition on my iPhone and iPad, plus I have the fingerprint reader on my MacBook Pro.  I do have passwords that use numbers, upper and lower case letters and symbols, with enough digits to make them safe.  I also never access any of my accounts on any devices except my own.  The vast majority of our liquid assets are kept in a brokerage account, professionally managed and not linked to anything.  Freezing our credit might be a good idea as the only debt we have are a few credit cards, which are all set-up to be automatically paid-in-full each month.  The one major thing I'm doing wrong is sharing my password with our children, on some accounts, who are all adults, but just the same it's a risk.

Facial recognition and fingerprints and all that are good. There's a big debate out there about biometrics and what happens if that information is stolen, but for now those will protect your physical devices. I'm sure hackers and the technology they develop will catch up at some point. Cali has some pretty strict privacy laws and they were the first to implement laws around biometrics. 

Something to think about and make sure of is protecting yourself from your environment, per se... Hackers don't necessarily want into your devices- they want into the network you're using bc your devices auto connect to those. Once in your network or any wifi you're using, and they can get whatever they want. You can turn your phone off or turn your wifi off to combat that. 

Make sure your home wifi is locked down with a great password as well as any IOT (internet of things)  devices like Nest, Alexa and Google Home.

A super fun example (this is my favorite) of getting hacked through an IOT device was a casino that got hacked thru the thermometer in the fish tank in their lobby. It had a crap password and the hackers were able to steal all of their high roller info simply bc it all existed on the same network. 🙂

Also- Target was breached through a crappy password on their HVAC system and we all know the millions in credit card sales that cost them. Everything existed on the same network. 

To help with this- try not to access any important sites on public wifi. It's easy to check your bank account, email, scroll social media, etc... while in the grocery store or a coffee shop. But if someone has a simple sniffer program installed they can literally see what everyone is doing on that network and take whatever info they like and they'd never know. If you're scrolling your bank account, they'll see everything you see- your balance, account number, etc... If the business has a password on the wifi that's offered- I'd still consider it public but you could probably jump on and then right off and be okay if you trust the situation. If it's a public network- people in the parking lot could be going thru your info. They don't have to be close to you, they just have to be close enough to be on the network. 

If you can, turn off your wifi and use your phone's data plan or get a personal VPN if you ever need to do things in public (like when traveling, etc..). Just don't get a VPN from Russia or some other shady country like China. You might pay more for a US based one but it's well worth it. You'll be able to use it on all your devices so you can feel good about whatever you do. 🙂 

With all that- it also depends on your environment and if you trust where you're at. Downtown NYC- damn well better believe I'm doing all of the above. Miami or ATL airport- yep same. But po-dunk Tennessee in a little Mexican joint we go to weekly- I probably won't stress that much. I log into their wifi and let my little watch Netflix after she eats so my husband and I can talk in peace for a few minutes.  I didn't really stress about it in St. John but I was a little more careful in STT. Just use your best judgement. 

Great information on this thread...many thanks!

@vicanuck  You are so welcome!! I like helping where I can. If any of you ever have any questions I'll do my best to help! 

Posted by: @40isthebetter20

@jaldeborgh 

I

So- I don't know if this applies there in the USVI, but here in the states we have Informed Delivery through the US Postal service. You get an email and can go visit the site to see what's coming to your house or PO BOX on the daily thru the mail.

Everyone (or you as everyone) needs to sign up for that in your house. Even your kids. Why? Well terrible people will sign up for it at your house as you under their email address (there's no way for the USPS to verify or check an email address to see if it's valid) so they get informed about what's coming to your home. 

If they want that Chase or AmEx pre-approved credit card application, or your bank card that just got delivered, or that package on your doorstep... then it's theirs. 

 

After signing up they sent me a letter in the mail with a PIN number that had to be validated on their web site to be able to log in to my account. 

@cruzaniron I use it and love it.  Saves time and gas by not going to pick up mail if not necessary.

I've used informed delivery in the states since it came out and on STX for the past year. One additional option is the USPS mobile app that you can use to track returns through USPS to make sure they get where they're supposed to. When you have orders through Amazon or eBay, you can also enter the tracking numbers to track them to your mailbox.

Assuming you have a WiFi router at home, you can also turn off the 'SSID beacon' -> this is what shows up on your device when you look at it for available WiFi access points to connect. You WILL have to know the name of your router to connect to it, but hackers also have a much harder time connecting because they have no indication that the access point is there.

Also, if you tend to use public WiFi access points a lot, consider investing in a good vpn client - there are several good ones available for mobile devices now.