The constant battle for Internet security saw another brazen attack this week as Russian hackers published millions of passwords they collected after hacking the professional-networking site LinkedIn.
Then, hours later, dating site eHarmony announced that a "small fraction" of its users — others were saying 1.5 million — were compromised by a similar attack. Security professionals suspect the same hackers may have done it.
"That’s what we think," said Graham Cluley, a senior technology consultant with Sophos Security. "It was shared in the same places. The content is very similar. And the timing. All of these factors just make it seem like too much to be a coincidence."
It’s enough to make some Web users throw up their hands. If the sites we use on a daily basis can’t keep our password data secure, how are we supposed to keep ourselves safe?
But security experts say there are still plenty of steps we can take (even if too many people aren’t following them).
How to check if your password was stolen
Password-management firm LastPass has released a secure tool to see if your password was among the more than 6 million stolen from LinkedIn. LastPass created a similar tool for people worried about the security of their eHarmony accounts.
Your password still matters
Even in cases such as the LinkedIn breach, when it’s a website, not a personal account, that’s being hacked, the strength of your password can still help keep you safe.
On sites such as LinkedIn, stored passwords are "hashed," meaning the site uses an algorithm to encode them. So, even if hackers get the data, they still have to unravel them before they’re useful.
"Don’t give up. Don’t think this is all futile," Cluley said. "Choose a long, hard-to-crack, unique password. Not dictionary words. Not a sequence of numbers — use something that basically looks like gobbledygook. Those will be tougher for the bad guys to crack."
In the case of LinkedIn, there are reports that as many as 60% of the encrypted passwords stolen have been decoded, raising questions about the strength of its security system.
Be careful of post-hack e-mails
When there’s a well-publicized security incident on a well-known website, online crooks are more than happy to pile on.
In the wake of the LinkedIn hack, security professionals were already reporting incidents of users receiving "phishing" attempts — e-mails that look like official communications from LinkedIn. Instead, these messages try to get users to reveal personal data that identity thieves could be use. Or they include links that, when clicked on, can install malware on an unsuspecting user’s computer.
"We are investigating the exact details but in the meantime please DO NOT CLICK on links in email to change or verify account information, at LinkedIn.com or on any other membership site," Cameron Camp of ESET Smart Security wrote on the company’s blog. "Instead, navigate to the site directly by typing in the address bar in your browser."
Use different passwords for different sites
Cluley notes that the hackers who attacked LinkedIn and eHarmony may not have even been interested in information from those sites.
In many cases, they’ll be trying to use the passwords they find on other sites and accounts. Many banks require additional information to log in. But accounts such as Amazon, eBay and PayPal, for example, could be compromised if the user has one password across multiple sites.
"If you get hacked in one place, you get hacked everywhere," he said.
Lots of folks complain about how hard it is to remember multiple passwords. But there are free online tools that will store and use them for you. Cluley mentioned several, including KeePass, 1password and LastPass.
Cluley recommends those tools over letting your Web browser store passwords for you, because there have been cases of security flaws in some browsers, which hackers have exploited to access user data.