Question and answer site Quora announced a data breach that affected about 100 million users’ accounts. The hacked information included names, email addresses, and encrypted passwords. While most people who participate in online discussion via the platform may establish an account, anyone who has posted through Quora anonymously does not need to worry about their name getting “out there” since they never provided it.

Names, email addresses, and Quora passwords might not seem like a big deal to some users. After all, the company discovered the breach on November 30th and has already begun issuing notification letters. They’ve also forced a reset of all account passwords, so everything should be fine.

Unless… unless you’re one of the incredibly high numbers of people—52%, in fact—who reuses their passwords on multiple websites.

For years, security experts have tracked the use of “popular” passwords, and have found bizarrely simple passwords to be the most popular. These include things like “password,” “123456,” and “QWERTY,” just to name a few. But password strength—or lack thereof—isn’t really the problem in this case.

With the Quora breach, it doesn’t matter how amazing your password is, like “h2E9Nb17LW.” If you reuse that same password on any other website on the web, the hackers who have your Quora email and password have those same credentials to try on other sites. Hopefully, your online banking, credit card, PayPal, Amazon, and other vital accounts aren’t connected to those credentials this way.

This incident and so many others that only affect login credentials can be mistaken for being “not a big deal,” but the reality is just the opposite. When web users reuse their credentials like this, they leave themselves vulnerable to other account breaches and identity theft. It’s essential to create a strong password for every account you have, but it’s equally important to keep each strong password limited to one account.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

The term “data breach” serves as a catch-all word for any kind of event in which someone entrusted with information—usually for large groups of people, like one’s customers or patients—allows that information to be exposed. While some data breaches are the work of highly-skilled hackers who can access a billion email accounts at once, others could be something as simple as an electrician leaving his work phone behind on a job site, possibly exposing customers’ info.

However, no matter how it happened, who was at fault, or what information was exposed, all data breaches are serious. They carry the potential for someone to misuse information or harm others.

A recently reported data breach of the United States Postal System’s website appears to be accidental, but since about 60 million users’ information were exposed for at least a year, there’s no telling what damage could have occurred…or has already occurred.

This breach involves the website’s API, or “application program interface.” API is computer lingo for the set of parameters that help legitimate users interact with a website. The API was connected to the USPS “Informed Visibility Mail Tracking & Reporting” service, a mail tracking preview program, where the weakness was found. Unfortunately, by exploiting any security holes found in the tracking service, hackers can interact with the API, too.

Here’s what security researchers found: the USPS website was accidentally left “unlocked,” meaning anyone with an account could change the search parameters and find other users’ accounts and information. They could even make changes to those accounts in some cases.

Think of it like this example: pretend you went to a major retailer’s website to look up a pair of socks you ordered two years ago. You go to your order history, type in your name and zip code, and then your order history appears. Now pretend that you could simply change the zip code or the last name, or your city or street address. What would you do if all of the information for every person in your zip code, last name, city, or street address appeared? What if it showed you every single item those people had ever ordered?

That’s similar to what happened here, and there are a few unfortunate issues with this breach. First, the information was never secured in the first place. It was only a matter of time before someone decided to test out different data points. Also, the USPS was supposedly informed of this website problem a year ago. Recently, the person who informed them then contacted Krebs on Security to report that the matter had still not been resolved, and Brian Krebs reached out to the postal service. After he contacted them, the USPS patched the problem and made it stop.

This certainly isn’t the first time a government agency has suffered a data breach. The Office of Personnel Management, reported in June 2015, and the US State Department, reported in September 2018, for example, have both endured exposures of users’ sensitive information. However, that doesn’t make the issue any easier for the consumers who now need to monitor their USPS accounts and make sure that nothing out of the ordinary has taken place.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


Read next: “Secret Sisterhood” Online Gift Exchange Scam Alert

A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

At one point not too long ago, the IRS was reportedly issuing billions of dollars each year in fraudulent tax refunds filed by identity thieves. Thankfully, with better information and new regulations to help curb this problem, improvements have already been made. That doesn’t mean there isn’t still a long way to go towards fighting back against tax return fraud.

One of the chief issues the agency faces is simply the sheer volume of compromised taxpayer records that are floating around, available for identity thieves to purchase and use. Record-setting numbers of data breaches have resulted in hundreds of millions of consumer records exposed, ready to be used by the original thieves or those who buy them online.

Part of the effort to stem the flow of fraudulent refunds has meant slowing down the process significantly. Of course, we all want to receive a speedy refund that gets automatically deposited into our bank accounts, but that level of efficiency means it’s even easier for thieves to get to your money first. By automatically flagging certain returns for review—especially ones that use some of the more common standard deductions like dependent children or child care expenses—the agency hopes to block even higher numbers of phony refunds.

At the same time, the IRS is also taking a close look at its own mechanisms, namely its websites and taxpayer-centric user portals. The anonymity of the internet makes committing this kind of fraud even easier, and by finding ways to lock down their sites for better verification of taxpayer identities, the IRS hopes to stop even more fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

There are a lot of ways data breaches can occur; some are accidental, others are the work of “inside job” actors within the company. Some rely on social engineering, like getting you to download a virus to your computer or click a link to a malicious site. Still others are the work of highly-skilled cybercriminals who can infiltrate a network and steal important information.

What all of those have in common, though, is the need to report them to the government. Under certain legal guidelines, companies that experience a data breach can be required to file a notice with the Securities and Exchange Commission upon discovering the breach. If the breach affected the victims’ highly-sensitive personally identifiable information (like Social Security numbers), the company can also be responsible for providing extended protections like credit or identity monitoring.

Chegg, an online tutoring and textbook rental service, discovered a data breach last month, but their investigation showed it had actually begun in April of this year. The company doesn’t have reason to think any sensitive PII or credit card numbers were exposed, so victims should only have to fear for their login credentials.

Why? If you’ve reused your username and password on different accounts, a hacker who accesses one account now has instant access to all of those other accounts as well. So far, the company has stated that the passwords were hashed with encryption, but depending on the type of encryption used, they may still be easily viewable by anyone with the right tools.

Just to be safe, Chegg reset all of its users’ passwords in an effort to prevent any significant damage. As the hackers did manage to access customers’ shipping addresses and email addresses, users should be on the lookout for any upticks in spam email messages, scams or phishing attempts that appear to originate from Chegg or its partners, or other similar tactics.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

With all of the high-tech hacking, malware attacks that cripple entire networks, and new ways to steal or fabricate someone’s complete identity, it’s easy to forget that some of the things that used to be problems in the past are, still a problem.

On Aug. 16, a data breach was discovered that affected multiple Cheddar’s Scratch Kitchen restaurants in numerous states. Investigators believe the operative first launched the breach in early November of 2017 and continued through Jan. 2. More than 500,000 payment cards were compromised in the breach.

The company has sent out notification letters to the victims and offered identity monitoring for the affected customers. They also revamped the payment card system in April of this year, but still advise all of their customers to monitor their account information very closely for any signs of suspicious activity.

This incident clearly demonstrates that “old-fashioned” methods of stealing identifying and financial information are still out there, even if they’re sometimes overshadowed by larger events like the or the cyber attack that hit last year. Even old tactics like dumpster diving for your junk mail or health insurance statements can lead to identity theft crimes, even if they’re on a much smaller scale than a data breach like this one.

To help minimize the risks associated with this kind of incident, there are steps that consumers can take:

1. Enable alerts on your payment cards – If your financial institution offers it, you can set up text or email alerts that tell you any time your card number is used without the physical card being present. If your account info is stolen in a breach like this one, you’ll know if someone uses your card fraudulently. One person who contacted the Identity Theft Resource Center was on her child’s school trip when she received an alert; a quick call to her credit card company showed that someone had used her account number to buy several iPhones at a cellular store. The transaction was promptly canceled and a new card sent to the victim.

2. Monitor your accounts closely – By taking even a quick peek at your account statements on a regular basis (something you can even set up to do online or on your mobile device), you can stay on top of any unusual activity.

3. Place a credit freeze – This event only compromised the customers’ payment card numbers, but in this climate of record-setting data breaches, some consumers are opting for preventive credit freezes. New legislation goes into effect next month that will remove the fee associated with freezing and unfreezing your credit, which helps prevent new accounts from being opened with your identifying information. If more sensitive information is stolen in other data breaches, you’ll be better prepared to fend off identity theft and fraud.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

For quite some time, Social Security numbers have been called the “Holy Grail” of personally identifiable information. With access to your SSN and a few other key data points, an identity thief could open new lines of credit and run up bills for large purchases for years to come. If you discovered the fraudulent card and canceled it, they could simply open up another one.

In any data breach, it was almost a relief to find out that the victims’ SSNs had not been compromised… but that may not be the case anymore.

As a newly announced data breach of T-Mobile’s network shows, our phone numbers can be a hot commodity for hackers. Hackers made off with the names, email address, some of the accounts’ passwords, account numbers and phone numbers for . The cellular provider discovered the incident on Aug. 20 and shut down the hackers’ access, then began the process of investigating and sending out notification letters to affected customers.

You might think a thief can’t really do much for this information, but that’s not true. With just the data compromised, identity thieves can port the affected customers’ phone numbers to a new SIM card, install it in a new handheld device and access any accounts that the user has connected through that phone number.

For example, a hacker can get into your email account, Amazon account, online banking or PayPal account and more by having the password reset link sent to the phone number associated with the accounts, even if two-factor authentication was in place. The thief can then access the victims’ text messaging, receive the one-time-use verification code and use it to change the victims’ passwords on any accounts where they’ve entered their phone number.

T-Mobile has already begun notifying the victims and offered them some key instructions, namely to change their passwords on their accounts. However, it’s also a good idea to change the passwords on any other sensitive accounts—not just the T-Mobile accounts—and to be on the lookout for any unusual activity. This might include notifications of logins from new devices, contacts from your account providers telling you of suspicious activity, any unusual deductions from your financial accounts and more.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Identity Theft Resource Center® Sees Major Consumer Impacts One Year After the Equifax Breach. Read the full report here.

For decades, consumers have been told to monitor their credit reports as a way to stay on top of their identities and to maintain general financial well-being.

The sources of those credit reports are three major reporting agencies: TransUnion, Experian, and Equifax. As the gatekeepers of all your sensitive information, they are charged with keeping up-to-date records on the financial activity associated with your unique identity.

Obviously, that can make them a major target for hackers, as Equifax has learned in recent weeks. A data breach of their servers was discovered on July 29, 2017, and the complete identities of more than 148 million US consumers were stolen. These identities include names, birthdates, Social Security numbers, and more.

In addition, Equifax has said that hundreds of thousands of credit card numbers were stolen, along with documents about credit disputes which contained sensitive personal identifiable information.

The Aftermath: Equifax One Year Later discovered that nearly 90 percent of respondents reported that they experienced adverse feelings or emotions – beyond the financial impacts.

The next step is for Equifax to notify the victims of the breach by mail. Presumably, since the stolen information contained everything that a thief needs to steal someone’s identity, Equifax will be offering credit monitoring service to the victims, however, that remains to be seen.

Should consumers receive a notification letter, it’s important that they take the following steps:

  1. Read the letter carefully and determine what information was compromised. If it’s just your credit card number, that might be easily fixed with a phone call to your financial institution. If it was more invasive information, then further action could be necessary.
  2. If you’re offered credit monitoring service as part of this or any data breach, do not disregard the letter. That offer indicates that your most sensitive information is believed to have been put at risk. Typically, offers of credit monitoring span one to two years and that can give you a lot of peace of mind following the breach.
  3. Save the notification letter in a safe place. It is not an official document for legal reasons, but it can help serve as proof that your identity was compromised in the event that someone ever uses your information fraudulently.

As a consumer, you’re entitled to one free credit report each year from each of those three credit agencies, so it’s important that you stay on top of your credit reports for the foreseeable future. If your complete identity was stolen, then there’s a very real chance that new accounts and lines of credit can be opened in your name at any time. Monitoring your credit is a good idea anyway, but is certainly necessary if your data has been stolen.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.