By Steve McEvoy, Technology Consultant
Passwords are a pain. You need them when you turn your computer on, open your practice management software, access your email and when you access most any other Internet service like Gmail, Pandora, Dropbox, Facebook, etc. Keeping track of all of them is a hassle, and it is human nature to look for shortcuts – many people often use the same password for multiple sites.
Hackers are constantly looking for ways to steal information. Information is the new ‘gold’ on the Internet. The mention of ‘hacker’ conjures up images of a mysterious character lurking in a dark room, presumably hard at work trying to guess your username and password to gain access to your information. While this may still be the case in some situations, the hackers are smart folks, and they have moved on to where the real gold is. Rather than hacking us one person at a time, they are going after the websites where all of our collective online information lies.
Do you have an online account with any of these sites? LinkedIn, Yahoo, Dropbox, Adobe, Target, Home Depot, Comcast, Bell, Equifax or Experian? What all these sites (and many others I haven’t listed) have in common is that they were hacked, and some of the valuable information stolen included your username and passwords for their site. Ten’s of millions of usernames and passwords have been stolen. The hackers have realized that putting their efforts into breaking into a website yields much more information about you than trying to hack you directly.
How do you know if your username and password was breached?
Can you rely on the hacked website to notify you? Some sites, when they discover they have been hacked, implement a mandatory password change the next time you attempt to access the site. Has this ever happened to you? You log in to a website, and it immediately prompts you to verify your identity and change your password? It did for me a while back when I was using Dropbox. What they didn’t point out was that they had been breached, and for some period of time hackers could have accessed my data.
Can you even rely on the websites to know when they have been hacked? How would they know? It’s not like a traditional crime where you might see the broken window. Companies that aren’t making security a principal focus may be completely unaware of the breach and your user information for that site might be already out in the wild.
Troy Hunt is a security expert at Microsoft, he’s one of the white hat hackers on our side. He had the great idea to compile a list of all the available hacked accounts he could find. He scoured the ‘dark web’ to get copies of the information being sold by successful hacks (there is a thriving retail market for this fueled by BitCoin). He found nearly 5 billion accounts (that’s a B, not an M) from 265 known breaches. Then he created the website “Have I been Pwned” (www.haveibeenpwned.com). That’s not a typo, “pwned” is a slang online gaming term that roughly means “I own you” or “I conquered you” just like a hacker may have. His website is free to all. You can go to the site, enter the username that you may often use online (for example most people use their email address) and it will tell you if it knows your username was leaked in one of the breaches it knows about. I tried it with mine and found my information was leaked in the Adobe and Dropbox breaches.
You can also enter a password to see if the password is already in the known hacked password list. In the example shown here, I am testing the password that Invisalign Intraoral scanners use by default. Pwned.
A word of caution. Should we really trust that whoever is behind the website isn’t recording all the passwords tried? What if they get hacked? My advice is to be careful here and NOT test any of your CURRENT passwords you use where you have precious information kept (like your online bank account password). I know this is counter-intuitive, this is the first password you want to test to see if it’s safe.
Remember the bad habit that people have using the same username and password at multiple sites? If that’s you, and the hackers have got your username along with the password when they hacked one of these sites, I can guarantee you that these are the first things they are trying at other websites to see if they can get in (perhaps your bank). If the usernames and passwords are the same, they get immediate access without even needing to take a second guess. It happens all the time.
Consider all this carefully. Check the email you use typically for a user account at HaveIBeenPwnd.com. Perhaps check a password you use all the time. If you discover you have been pwn’d, change your passwords at all the sites that share that username immediately.