You’re probably aware that things you posted online years and that you completely forgot about could come back to haunt you. But it aways happens to someone else doesn’t it? Or does it? An alarming tale comes from a security researcher who started using the internet back in 2001 when routers squeaked and squealed as they got into action and corporate websites were little more than moribund web pages.
At this time, the security researcher joined gaming clans entered into the world of social media with MySpace, engaging with online forums, posting comments and talking with people with similar interests. Back then, security and privacy wasn’t much of a consideration.
But the things he posted were still there, 20 years later. This included a username for a particular forum which provided a pathway to all sorts of other information about him and his online habits.
He had a personal email address that’s been active for almost 20 years and which has been used to sign up for many different websites and online services. But a number of those services ended up being breached by cyber criminals and information about the accounts posted online.
Same password, different accounts
- According to HaveIBeenPwned, the 20-year old email address has been in at least 14 different breaches over the years, exposing linked information including name, online usernames, passwords and more.
- Some of these were huge data breaches that exposed the information of millions of people, such as a 2016 LinkedIn data breach that exposed 164 million email addresses and passwords and January 2019 breach, a massive set of leaked and stolen data that contained 773 million usernames and passwords.
This information was used as a jumping-off point to search for his personal data. It was a shock to discover old passwords. In most cases, he knew these passwords had been revealed in breaches and he had made the effort to change each one to a unique new password.
But 10 to 15 years ago he used the same password across multiple different online accounts, which meant if one account was breached, the others were also vulnerable to being hacked. From there he was able to link to another data breach at a website he used in about 2010. This data breach gave away his date of birth and the city he was living in at the time.
Further analysis of the breach even linked it back to an IP address and an internet provider. This was a location he hadn’t lived in for over a decade but it was unnerving to see how information on a website could be used to ultimately help trace the geolocation of where he was at the time.
A fact of online life
- This sensitive information is useful for cyber criminals to build a better picture of targets and to gain as much from them as possible. It allows an attacker two key advantages, first, they gain a better understanding of your life and work so attacks can be tailored that appear credible.
- The other opportunity is that it offers attackers a chance to understand your 'social network' both on a personal and work front. This can be used by attackers to initially breach a more vulnerable victim in their target's network.
If you're using the internet, it's highly likely that you have at least one personal email address. It's what we use to sign up for various services, and there can potentially be hundreds of those, even if we only use them once before forgetting about them. And that information doesn't go away.
But for most of our information, once it's on the internet, it’s there for good and there's not much we can do about it. As a result, it’s good to understand what information might be out there and to be alert about when your personal data might potentially be abused.
Red flags and simple steps
- If you're aware that your details have been leaked in a breach, you should also be on the lookout for phishing emails. In many cases, leaked emails just get put on spam lists. Many of these are simple to detect, emails claiming you've won gift cards or offering free items.
- But some are crafty and will leverage data breaches to send more targeted phishing emails. For example, if a Bitcoin trading site is the victim of a hack, other attackers can take advantage by sending phishing emails to leaked lists of users, claiming their accounts are at risk. The only problem is that an email with a link in it will direct you to a webpage designed to steal login details.
- This happens with many different breaches, so it's vital that you treat emails like this with suspicion. It's extremely unlikely that a company will inform you of a breach via email and include a link to log into a webpage. Rather they are more likely to tell you a breach has occurred and you need to change your log in details. If you receive an email that raises suspicions its safer to go the company website and see what information they have posted, or simply give them a call.
And of course you should always be using proven antimalware protection
as a matter of course. Not only does it protect you from the millions instances of malware that are always circulating, but it detects malware in phishing mails and also flags suspicious websites and pages, such as those set up by attackers to steal personal information.