In mid-January, it became widely known that vast collections of access information for e-mail accounts were posted on the internet. Overall, Collections #1-5 contain 2.1 billion different e-mail addresses plus their passwords. By now, the collections have also been made accessible to anyone on online sharing platforms.
In Collections #1-5, information from different hacks in the past were collected and sorted into different categories, for instance into hacks of cloud services, career sites, online computer games, shopping sites, etc. This data had been available on the internet before, but not as a collection of this magnitude and categorized in such a meticulous way. It is important to note that the information stemmed from hacks from corporate targets, not from cyberattacks on private citizens. Therefore, users are not the ones to blame for the fact that this data ended up on the internet. However, to what extent this data can be used online is largely determined by the users’ own behaviour and companies creating good policies.
What are concrete dangers of these hacks?
Collection #1-5’s enormous amount of data alone presents a significant danger, as they contain billions of e-mail accounts and therefore affect a very large number of people.
In the best-case scenario for those affected: only their e-mail address is known, so spam is probably the only nuisance. Things are completely different if however the e-mail account and also the respective password is known. All private correspondence can then be read, and all data contained in the e-mail account can be used; for example, clues about the use of other online services such as social media or online shopping sites, which often contain password reset options.
Here, the user’s own behaviour is often a significant cause for great danger: Frequently, passwords are not strong enough, they are rarely (if ever) changed, and they are used for more than one online account. As a result, once a password for one account is hacked it can be used for accessing other accounts as well.
Hackers know about this and use it to their advantage without any hesitation. This is particularly dangerous when personal information, such as credit card data, is saved on such accounts. Hackers do not shy away from attempts at credit card fraud or blackmail by using illegally gained personal data. In general, anyone who uses their e-mail address to authenticate themselves on the internet is vulnerable to such hacks.
How can users protect themselves from these risks?
The most important measure is to choose a good password and most good services now guide users on the strength of passwords as you create them. When doing this it enhances the password’s security if the combination of its characters is random and if the password is longer. It is equally important to pick a different password for every single website (meaning for each and every online service you are registered to) and to change the password regularly. Since managing passwords can become confusing with a large number of registered user accounts, experts recommend using a password manager; preferably one that is stored locally on your own computer and not in the cloud. Another layer of protection is using an additional factor to supplement passwords. However, this so-called two-factor authentication unfortunately is far from being supported by all online services. New technology is emerging that allows for a one time forever password, we will talk about this more later in this blog.
What should those affected by Collection #1-5 do?
Those who suspect having fallen victim to hacks such as Collection #1-5 can check this on the internet: both the German webpage from Hasso Plattner Institute and Troy Hunt’s website offer this service. People whose email address is among those in the hack should change their passwords immediately – not just for their e-mail but for every online service they are registered for. In some cases, it is advisable to create a new e-mail account in order to avoid spam. Not trivial to do but worthwhile.
Would this have happened with Cryptshare?
Unlike your e-mail accounts, Cryptshare cannot be attacked centrally. An e-mail address serves to verify the sender and to facilitate communication with the respective recipient. As a solution for the secure and easy exchange of data, Cryptshare does not use e-mail accounts. Therefore, there is no risk of anyone getting into an e-mail account that contains all information in a consolidated and readable form simply by knowing the email address and hacking the password. The e-mail address is merely used to determine if a transfer can be executed in accordance with the existing licenses. With Cryptshare, every single transfer is individually encrypted and can be secured with a password.
Since the password is not shared with the recipient via e-mail, but by another channel (for instance, over the phone or via SMS) – as is suggested as a general good principle – the password is only known to this intended recipient. Even if, in a worst-case scenario, a hacker did gain access to the Cryptshare server, all transfers stored on it would be encrypted individually, without their respective passwords.
QUICK Technology with Cryptshare which will be launched in the spring will revolutionise easy and secure password management: Once it is activated, QUICK Technology encrypts all communication between two partners without them having to manually exchange passwords ever again. All of the encryption and decryption is run securely in the background; after initial activation, users can communicate via e-mail worry-free. This way, QUICK Technology eliminates the most common of human errors in password management, a key factor in avoiding security breaches.
What conclusions should be drawn from Collections #1-5?
Events such as Collection #1-5 are bound to occur again. For one thing, it is possible for bad actors to process ever larger amounts of data. Also, data is often not deleted but saved, even if it is no longer actively used. The concept of an e-mail account and a respective password that grants access to all data and correspondence should be reconsidered. The past has shown all too often how vulnerable this approach is, and how easily regular e-mail and its contents can be abused in order to gain valuable information for illegal purposes. Today it is even more important for users to rethink their behaviour when it comes to e-mail security and the use of passwords. A few simple steps can make a truly meaningful contribution to effectively protecting yourself from such security breaches and their consequences.