The cyberspace is getting uglier each day with tech giants reporting security breaches. Imgur, an image hosting website, also a popular place for memes recently reported a massive data breach that occurred in 2014. The data breach was not kept under the wraps like Uber did. Imgur learned of the data breach recently and publicly disclosed it for security purposes.
What data was stolen?
Imgur says that 1.7 million login records were stolen. What is relieving here is that no PII or Personally Identifying Information, such as phone numbers were stolen. However, username or email ids along with passwords were stolen. So, if any user who uses the same username and password everywhere had an Imgur account, then he or she is at risk of identity theft or data theft.
How was it done?
Back when Imgur was set up, it used the SHA-256 encryption for its database. Now, this is considered to an old method of encryption and the database was accessed in the brute force method. Therefore, it did not require any special tricks, but only time and computational resources to crack open the database.
The Imgur data breach should be a warning to other tech giants using outdated encryption techniques to back up their database and to use newer encryption in case there is a breach.
What to know if you are affected?
The most reliable way to check if you are affected is to go over to HIBP and type in your user id or email. HIBP or Have I been Pwned is a website that keeps track of all breaches and has a list of all the usernames and email ids that were disclosed in breaches. So, if you have been affected by any breaches in the past, you will know that too?
How can you protect yourself?
Change your Password and enable 2FA
The first step towards protecting your online account is by changing passwords at regular intervals. Regular internet users can change their passwords every four or six months and that provides enough security from these breaches. 2FA or Two factor authentication also enables a second factor, such as an OTP allowing you to log in more securely. 2FA relies not only on what you know but also on what you have. That means you need to have your phone where the OTP will be texted to login.
Making and Remembering Passwords
The biggest reason why we are so reluctant to make new passwords is that making and remembering passwords is difficult. However, you will get used to it the more you type it. Making and remembering passwords can be done easily by using password manager apps. There are tons, such as Dashlane, 1Password, LastPass, Keeper and so on. These apps can generate strong passwords for you and keep your passwords safe. You need to only remember one strong master password to get access to your password manager.
To use the passwords from your password manager (which are also really difficult to remember), you need to set up apps and browser extensions on all your devices. However, that is only a one-time setup. After you are done, using strong passwords can be pretty convenient.
Another old-school method is to have passwords physically written down. There are a bunch of password generators available online. From there, you can generate passwords and write a bunch of them down. Every time you need to use a password, you can use from your notebook. However, you need to make sure that those passwords never fall into the wrong hands.
Use social media accounts to sign up
One way to get around breaches is to use social media accounts. You can use your Google+ or Facebook account to sign in elsewhere. These sign-ins do not use any passwords. Facebook or Google+ generates a token that is used to sign you in. These are generally more secure.
If you do not want Facebook or Google+ to know where you are signing in, you can always have an extra dummy account just for logging into other websites.
Facebook and Google+, both remember in which sites you have used your account to sign in. You can later remove these from the account settings in Facebook or Google.
Log in using dummy email accounts
Using dummy email accounts are a clever way of signing into another website. You can have multiple such email ids. They can either be aliases of your same email id, or they can be completely separate accounts. You can use these ids to sign into other websites. In case there is a breach, you can simply close down that email alias, or account and use a different one.
Provide minimal information when signing up
When signing up on different websites, make sure you provide the minimum information required for you to access the site. Try not to provide PII or personally identifying information such as phone numbers, credit card details and addresses, unless it is required and the site is a trusted one. You can use your secondary phone number or even fake ones to sign up.
Remember, you cannot always rely on tech giants to keep your data secure. In the end, there’s nothing called the cloud, it’s just someone else’s computer.