ADOTAS — Today we’re featuring reactions from industry leaders to yesterday’s CNNMoney report that 2 million online passwords were stolen in a massive data breach. According to CNNMoney, hackers stole usernames and passwords for nearly two million accounts at Facebook, Google, Twitter, Yahoo and others, according to a report released this week by cybersecurity firm Trustwave.
“The recent theft of 2 million passwords from the most popular social networking sites further illustrates the relentless attack that all of our data is under. While this attack is squarely aimed at individuals with the potential for identity theft as the consequence, the risk is just as real for corporations. How many of us would love it if our Facebook password was the same as the one we use at work? How many of us actually do that? I know of many people that, when given the chance, will make as many of their corporate passwords match their personal passwords as possible. After all, that one is easy to remember and you don’t have to call the computer guys at the office to help you when you forget it. And how much information is on your Twitter feed and Facebook interactions that can point to where you work, what you do at work, and possibly even the password-protected doors that get you into your employer’s systems? It’s not a very big jump to go from an innocuous stolen Facebook password to a major security breach at your employer, through your account. If your employer has good security practices in place and if you’re being responsible citizen, following the password policies and paying attention to the potential risks of what you share outside of work, you will be much safer.” — Todd Peterson, Product Manager, Dell Software.
“One of the main reactions to this latest news is that we shouldn’t be making 12345 our passwords! Good advice. But what’s really concerning is that this news follows on the heels of the recent Adobe security breach and indicates a much larger issue. Both security breaches highlight that as our lives become more digital thanks to smartphones and tablets, protecting our online identity becomes more and more important. The challenge for the industry is that there is no longer one or two places where consumers need to worry about protecting their passwords and user names. We now use them everywhere. For example, those Facebook credentials are used to log-in to multiple online and mobile services, especially any kind of social service. So a breach in one place can have a big ripple effect across an individual’s entire digital lifestyle.” — David Staas, President, JiWire.
“While I cannot speak to the Twitter situation, in the case of Facebook and Google, when you lax the rules on privacy that they have, data breaches occur. It’s like leaving the door to the candy store open, there will be people who walk in. The time is now for companies to review their privacy and security policies and implement sound changes to protect their users. Don’t tell us, show us that you care about this.” — — Sue Duris, President, M4 Communications.
“The revelation that 2 million Facebook, Gmail and Twitter passwords were stolen in a massive data breach is a major PR black eye for the companies involved. With the NSA stories of massive government monitoring still alive, this adds to the narrative that American’s privacy online are not protected. It creates a credibility issue for these companies and damages their brand reputation, particularly in customer service. In terms of crisis communications they are not doing enough to assure users that they are addressing the issue and placing safeguards in place so such occurrences will not happen again. It is almost like they hope by not commenting on the issue, it may go away and the public will not be aware of the magnitude of the breach. It is a risky PR strategy especially if the story plays out longer in the media or another breach happens in the near future. They would be smarter to be proactive and get in front of the story.” — David E. Johnson, CEO, Strategic Vision, LLC.
“I think you’ve touched on this previously, but the obvious answer is that privacy does not exist, nor should anyone expect when using public forums that they will remain private in any form. Using a politician, an entertainer and an athlete as examples, they are ‘public’ and anyone on Twitter, Facebook, etc. is also ‘public.’ Generally, unless a person has risky information somewhere, such as financial or other info, being ‘hacked’ is part of life in the 21st century. You can always adopt a tactic such as the one I use: I have no Facebook page, I use an alias when I log in. I have no Twitter account and anyone using Gmail is asking for trouble and will continue to experience problems.” — Christopher Laurance, Independent Marketing and Finance Professional.
“According to the article [on CNN’s website], the accounts details that were leaked were obtained using keyloggers installed on end users’ computers. No networks were breached in order to obtain the information, which is good on one side, but it is worrisome on the other. This also gives us a pretty good view on the security status of many computers worldwide. I say computers and not home users because malware infects any kind of computers and not only those at home. As we can see, in the end it is not even a matter of price of a security solution because any decent free antivirus solution detects this malware type. It is an awareness problem. People continue to think that “this can’t happen exactly to me” (that is, becoming infected) despite the massive media coverage of the security issues world-wide. Users have to change their thinking, to take IT security serious and most important of all, to constantly improve their security. I published a free eBook exactly to help these people to understand the risks and to teach them how to make their accounts and devices more secure (available under www.improve-your-security.org). The other view of this incident is that attackers targeted … Facebook, Google, [and] Twitter. This means that there is value in owning the credentials of these accounts. One may think that there is actually little to none money behind these accounts, but if you think better, there is something which is far more interesting for the cybercriminals: the engine to spread their malware. If they own the credentials to these accounts they can impersonate the owners and spread the malware with a very high rate of success. Fortunately, there is something which the users can do to prevent misusage of their credentials: activate two-factors authentication and location-based control. If these extra measures are activated, the system would require on login something that only the user has: a code sent to a mobile phone via SMS or a token generated by something. If the location-based control is activated, the system would warn and depending on the system even prevent a login from a previously unknown and not authorized location or device.” — Sorin Mustaca, product manager at Avira GmbH and online security expert.