What does it mean if I've been pwned?
Being pwned means that a hacker has your credentials to a Web site that you've once subscribed to. For example, Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. Compromised data: Email addresses, Password hints, Passwords, Usernames.
LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data. Compromised data: Email addresses, Passwords
What can happen if your been pwned?
Blackmailed. Yes actually blackmailed; follow me on this Hollywood screenplay.
Day 1: A particular Web site was hacked; we will call this Web site Alpha. The Alpha Web site had some security holes and a hacker or group of hackers have subscribers email addresses, passwords, and password hints.
Day 2: The hacker sends Alpha's subscribers a phishing emailing tempting them to click. In this example, the phishing attempts are links or hooks to inappropriate adult Web sites. The Subscriber (person that has been pwned) does not click on the link and deletes email.
Day 7: The hacker sends Alpha's subscribers a phishing emailing tempting them to click. The Subscriber (person that has been pwned) does not click on the link and deletes email.
Day 86 The hacker sends Alpha's subscribers a phishing emailing tempting them to click. The Subscriber (person that has been pwned) does not click on the link and deletes email.
Day 211: The hacker sends Alpha's subscribers a phishing emailing tempting them to click. The Subscriber (person that has been pwned) clicks on the email.
Day 212: The hacker is aware you clicked on the phishing link. Remember the link is an inappropriate Web site.
Day 212: The KEY DAY. The hacker sends a message to the subscriber letting them know they are aware of the recent inappropriate Web site you visited. And they give you the password they compromised when they hacked that site you subscribed to.
Key Point: Knowing a previous password is a way of gaining trust that the hackers have something on you and they are legit. The hacker then tells you to send them $3,000 in Crypto currency and they won't send your browsing activities to all your contacts within your contact list.
What should I do if I've been pwned?
Determine if the credentials you used on the site that was hacked is not the same credentials as a banking Web site. This is why banking and non-banking passwords should never be the same. If your banking credentials are the same as the hacked site, change them immediately. Refer to our Blog on New NIST password requirements on our Social Media page.
How to check if you've been pwned?
Go to https://www.haveibeenpwned.com/ then change credentials for any sites that are listed; these are sites you've subscribed to in the past.
Comentarios