A recent Macy’s data breach is creating headaches for lots of its shoppers. There are a lot of different ways a cybercriminal can gain access to sensitive data. Not all of those ways involve highly sophisticated technological know-how. Sometimes it is as simple as finding unsecured information online, stealing someone’s work laptop or sending out a fake email that looks like the real thing in order to get the victim to hand over their data.

However, other forms of attack are something straight out of a cyberthriller. Knowledgeable black-hat hackers with a very specific skill set can inject malicious computer code into the script of a website, channeling activity from that website to any location they choose. Even worse, this is often done without the web owner’s knowledge and can continue on undetected for quite some time.

That is the case with the October 2019 Macy’s data breach. A MageCart attack, in which harmful code was embedded into Macy’s retail website, resulted in the loss of customers’ names, addresses, account numbers, credit card information and other related data points. The code was redirecting all of the information that customers entered to another location without Macy’s permission. Imagine the old home phone lines in which two handsets worked on the same phone number. This attack is just like someone picking up the other extension and listening in on a conversation without the other parties knowing.

The Macy’s data breach was discovered about a week after the code was injected into the company’s site. Macy’s has now issued a notification letter to all affected customers of the Macy’s data breach and has established a free 12-month credit monitoring option for those customers. They have also removed the malicious code and enabled safeguards to prevent further attacks of this kind.

As for the customers, there are some key takeaways from Macy’s data breach. First, the only information the thieves managed to steal was data that would be entered when creating your Macy’s account. No Social Security numbers, for example, or the information that was entered upon checkout. Second, this means that the thieves could have used your stored credit card but not establish new lines of credit or open new credit cards in your name. If you have card not present alerts enabled from your financial institution, you would have been alerted the moment a thief tried to use the card you have stored on the Macy’s website.

For now, customers affected by the Macy’s data breach are encouraged to monitor their account statements carefully for any signs of fraud, sign up for the free credit monitoring if offered and remember to activate the kinds of security measures that will protect you in the event something like this happens again. Card not present alerts and two-factor authentication are just two of the tools that many banks and credit card companies offer in order to keep you safe.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

T-Mobile Data Breach Exposes One Million Prepaid Accounts

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays



T-Mobile has become the most recent telecom giant to announce a data breach affecting a large number of U.S. customers. As part of the T-Mobile data breach, more than one million prepaid service accounts were affected, which included names, addresses, phone numbers and information about customers’ rate plans, calling features and international calling.

This information may not appear to be very damaging. After all, there is no financial information or identifying data from the T-Mobile data breach that could allow thieves to open a new line of credit or a new account. However, the information that was compromised could still be used for malicious purposes. By having detailed information on what plan a customer has and what calling features they subscribe to, it would not be very difficult to convince a T-Mobile associate that the hacker is actually the account holder, and then solicit the employee’s help in taking over the account entirely.

T-Mobile has not answered some key questions about the T-Mobile data breach, such as the specific number of customers who were affected and whether it was a breach of its customer website or another online source. While the company should be applauded for a rapid response to discovering the T-Mobile data breach, there is other pertinent information that the public and security experts alike could benefit from knowing.

Many of the customers have already received a text message notification about the T-Mobile data breach, which is another possible cause for concern. Users have to be able to discern between genuine communications from the company and phishing attempts by hackers who are posing as T-Mobile representatives. Any message that asks you to confirm your information, especially sensitive things like your password or PIN, is suspicious and the company has said it will never contact its customers for that kind of data.

This is true of most companies, whether there has been a data breach or not. Phishing attacks work because the victim thinks they are talking to someone from the business. Instead, it is a cleverly disguised copy of a company communication. In any event, there is never a reason to verify your identifying information for someone who contacts you, no matter what form the communication takes. Ignore the message and go directly to your account online in order to verify that everything is okay.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Are the Wrong Toys on Your Holiday Shopping List?

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays

According to the National Center for Education Statistics (NCES), about 56.6 million students are attending school this fall. The NCES also reports that there are 3.7 million teachers currently in the United States. That is over 60 million students and teachers spending their time inside of schools, on their Wi-Fi, online programs and much more.

Data breaches that affect students and teachers are not uncommon, although education ranked lowest of the five industry sectors that the Identity Theft Resource Center (ITRC) records in 2018 with 76 education data breaches exposing 1,408,670 records. However, 2017 was a different story. According to the ITRC’s 2018 End-of-Year Data Breach Report, in 2017 there were 128 education data breaches exposing 1,418,455 records. So far in 2019, there have been 104 breaches exposing 2,248,578 records. You can learn more by signing up for our ITRC Monthly Breach Newsletter.

While the education sector is not seeing as many breaches as some of the other industry categories, the ITRC believes that one breach is one too many. That is why we continue to empower identity theft victims – particularly those that are victims of education data breaches – with the resources to resolve their cases. Our mission, since our founding in 1999, is to help people proactively reduce their risk of becoming a victim and to empower them to mitigate their cases if they have become one. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches. As part of our 10,000 Breaches Later blog series, last week we looked at the top banking, credit and financial data breaches. This week we conclude our blog series with a look at the top five education data breaches that impacted U.S. teachers, students and families and their personal information that was compromised.

Maricopa County Community College District

Following a data breach incident in January 2011, Maricopa County Community College District experienced another education data breach in 2013 that led to personal information like names, addresses, Social Security numbers, dates of birth and financial aid information being exposed. The breach affected 2.5 million current and former students, employees and vendors. In January 2011, the district was first notified by the FBI of a small data breach affecting 400 people. Information from its database was found online for sale, and the FBI warned the district that it needed to properly secure its systems. Ten months later the district was warned, once again, this time after the Arizona Auditor General found that terminated employees still had active user accounts on the district’s network. One year later an audit found that the district had still not tightened up its security procedures. This led to the breach in 2013 which discovered, once again, sensitive information had been found for sale online. The impact on those teachers and students was potentially catastrophic given the amount of sensitive information and data compromised. This education data breach also highlights the importance of businesses and schools to take their security measures seriously.

Georgia Tech

In April 2019, Georgia Tech announced that nearly 1.3 million current and former faculty members, students, staff and student applicants had been affected by an education data breach that was caused by unauthorized access to a web application. Information compromised included names, addresses, dates of birth and Social Security numbers. The university has taken steps since to help people who were affected by offering credit monitoring and identity theft protection services to individuals who had their Social Security number exposed. Faculty members and students should be aware of the sensitive nature of their data and the potential unique identity theft aspects that could come from its exposure.

Washington State University – Social & Economic Science Research Center

Two years prior to the Georgia Tech education data breach, Washington State University learned that a locked safe containing a hard drive used by the Social & Economic Science Research Center to store backed-up files had been stolen. The hard drive contained a wide range of sensitive information on 1.1 million individuals including demographic information, Social Security numbers and personal health information. In April of 2019, the university reached a $4.7 million settlement where victims were entitled to receive up to $5,000 in cash reimbursements for any out-of-pocket expenses incurred, credit monitoring services or credit reports. This breach stresses the importance of making sure schools and universities have guidelines and measures in place to make sure that all student and faculty information is securely protected and that there is no risk of it being stolen, whether online or from a safe.

University of California Los Angeles (UCLA)

In October 2006, UCLA was hit by a cyber-attack allowing a hacker to gain access to a restricted database containing sensitive information of 800,000 current and former students, faculty and staff. The database included names, addresses, dates of birth and Social Security numbers. While this breach affected less than five percent of the records in the database, it was still one of the largest education data breaches at that time. While the university said there was no evidence of any personal information being misused, they suggested those possibly affected contact credit reporting agencies and take steps to minimize the risk of potential identity theft.

Pearson

Initially reported in July 2019, educational software maker, Pearson, experienced a data breach affecting its AIMSWeb 1.0 platform. Roughly 13,000 school and university accounts were affected by this breach. However, this number does not include the individual students and staff members whose information was contained in each account. Although the information exposed varies per account, information like student names, student dates of birth, student email addresses, student ID numbers, staff names, staff email addresses, job titles and more was exposed. In an interview with the Las Vegas Review-Journal, ITRC president and CEO, Eva Velasquez said, fortunately, the information exposed was limited: “Just a name is not going to necessarily lead to an increase in the risk of identity theft. A name and date of birth could potentially lead to a slight increase. But as far as very serious personal identifying information, it does not appear that this breach contains that level of data.” School districts are continuing to come forward to report being affected by the Pearson breach.

As we recap education data breaches, the ITRC hopes to help those impacted – both as faculty members, students, schools and universities – understand how to minimize their risk and mitigate their identity compromises. If you received a data breach notification letter, do not just set it aside. Call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do. If you are a school or university that has been impacted by a data breach incident, please reach out to the ITRC to discuss how we can provide assistance to your impacted customers. Every victim of a data breach should download our free ID Theft Help App to track their activities around any given data breach.

For a complete look at all the blogs from the 10,000 Breaches Later blog series, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Financial, Credit and Banking Data Breaches

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

It seems hard to imagine that companies still suffer accidental data breaches, but it happens with alarming frequency and it led to a ‘Magic: The Gathering’ data breach. It may be an employee who downloads some malicious software or falls for a spear phishing campaign, or someone who leaves an unsecured laptop or flash drive out. Regardless of how it happens, what is important is that it happens often enough that more companies should be safeguarding themselves from this kind of threat.

One frighteningly common event is the accidental overexposure, which occurs when a company unintentionally puts its sensitive information online for anyone to find. Sadly, even though they are doing it by mistake, that does not stop malicious people from finding the information and using it.

The most recent example of a company leaving a database of customer information exposed on the internet is Wizards of the Coast, the developer of the popular game, ‘Magic: The Gathering.’ It led to a ‘Magic: The Gathering’ data breach. This card-based game has been widely popular for many years and has a devoted following. Unfortunately, the owners used an unsecured Amazon Web Services bucket. This online server contained customer data for more than 452,000 users, including usernames and hashed and salted passwords. However, the information was not encrypted.

Accidental data breaches like the ‘Magic: The Gathering’ data breach have happened to numerous well-known, large-scale companies recently. It is always with the same issue that the requirement to password protect the server is turned off by default. Unless the company opts to password protect the server and takes the steps to do so, their information can go online without any kind of wall around it.

Unfortunately, TechCrunch reported this incident with a somewhat bothersome finding. A security company called Fidus Information Security discovered the database of information and contacted the game developers. However, there is no way of knowing if anyone else had already compromised the information. In this case, as TechCrunch states, “Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.”

One of the most critical things any company can do during a data breach like the ‘Magic: The Gathering’ data breach is to respond in a timely way. Leaving the information online while looking into the matter or failing to notify the customers of the breach quickly is not the best way to protect anyone. The developer has informed affected customers to change their passwords and has reported the breach to officials who oversee the EU’s privacy compliance regulations.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Three-Pronged Web Service Data Breach A Cause For Alarm

Virtual Reality Privacy Concerns

Who is Responsible for Fraud Prevention? Join the Fraud Week Twitter Chat with ACFE!

Three web services recently suffered a web service data breach in August. The news broke from Krebs On Security that users of Network Solutions, Register.com and Web.com may have received notice that an unauthorized user was able to gain access to certain important pieces of information from users’ accounts.

Domain Registration Websites

The three companies in question have a very important place in the online business world. They register website domain names, which means that if you create a website, they may hold the key data around that website. This web service data breach is particularly alarming if your website had sensitive information about the owners—including names, email addresses, phone numbers and physical addresses—which may have been compromised. Sensitive websites might be political in nature, may involve children’s photographs or identifying features or might pertain to marginalized communities of people.

Change Your Password Immediately

So far, Web.com, which owns both of the other two registration companies, has only issued a blanket warning to customers to change their passwords. The web service data breach notification is available on a separate section of their website, but none of the companies list this important announcement on their home pages.

If you have registered a website via any of these companies, it is important to change your password right away. However, even if you have not used one of them, it is encouraged to take this time to go to your domain registration company and change your password for good measure.

Watch For More Sophisticated Phishing Emails

Phishing attacks are another serious concern from breaches like the web service data breach. Hackers use or sell your email information in order to flood you with spam emails, mass marketing and fraud attempts. It would be easy for someone to create a fake email that appears to come from one of these companies and then send you an email demanding your login credentials or financial information. Be on the lookout for these kinds of approaches, and know how to respond to a potentially harmful email or text message.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Adobe Account Information Leaked After Server Left Unsecured

Be on the Lookout for 2020 Census Scams

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

According to our 2018 End-of-Year Breach Report, there were a total of 135 financial, credit and banking data breaches, exposing 1,709,013 records last year. In the report, banking/credit/financial had the third-highest amount of data breaches of the five industry categories the Identity Theft Resource Center tracks. Of all the data breaches recorded in 2018, hacking was the most common form of data breaches. That trend has been noticeable throughout our 10,000 Breaches Later blog series and continues to play a role when it comes to financial, credit and banking data breaches.

Sign up for our ITRC Monthly Breach Newsletter for more information on these data breaches.

This is one of many reasons why the ITRC  has been working to empower financial, credit and banking identity theft victims with the resources they need to resolve their cases since 1999. That includes helping people proactively reduce their risk of becoming a victim of identity theft. Since 2005, the ITRC has recorded over 10,000 publicly notified data breaches with monthly and cumulative end-of-year reports.

Last month, we looked at some of the largest government and military data breaches. Now we shift our focus to the top five most impactful financial, credit and banking data breaches (as well as a bonus breach) for consumers.

Capital One

Just three months ago on July 29, 2019, Capital One announced that a hacker had gained access to 100 million U.S. and six million Canadian Capital One customers’ accounts and credit card applications in March of 2019. Individuals and small businesses were affected by this data breach that disclosed names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances. Roughly 140,000 Social Security numbers (SSNs) and 80,000 linked bank account numbers were also exposed. At the time of the breach, the ITRC urged consumers to take action, freeze their credit, be aware of scams and to document all of their steps they were taking if they were impacted (utilizing our ID Theft Help App as one tool). This breach was particularly impactful due to the high amount of SSNs and bank account numbers exposed and the gigantic amount of accounts accessed. A stolen Social Security number can lead to multiple types of identity theft, including financial identity theft, government identity theft, criminal identity theft, medical identity theft and utility fraud.

JPMorgan Chase & Co.

First reported in August of 2014, JPMorgan Chase & Co. experienced a cyberattack that allowed hackers to access the personal information of 76 million households and seven million small businesses. The information accessed included names, addresses, phone numbers, email addresses and internal JPMorgan Chase & Co. information of those users. Customers affected by this breach were those who used Chase.com, JP Morgan online, Chase Mobile and JP Morgan Mobile. Many JPMorgan Chase & Co. customers were impacted because JPMorgan Chase & Co. did not have to send out notification letters to affected consumers in many states because the breach did not expose sensitive information like account numbers, passwords, dates of birth and Social Security numbers. Instead, Chase posted a blanket statement on the homepage of their website. That left some individuals affected on their own to figure out what to do.

CardSystems

Credit card processing company, CardSystems Solutions, Inc., discovered in May 2005 and reported one month later that they had experienced a  data breach in which a hacker was able to insert a virus into the computer system that captured customer data. Around 40 million Visa and MasterCard credit and debit card accounts were affected. Following the breach, Visa said it would continue to work with CardSystems when the case was resolved. MasterCard said that it would give CardSystems a limited amount of time to demonstrate compliance with MasterCard’s security requirements. The data breach led to Visa and MasterCard dropping CardSystems as their credit card processor. An important point for consumers to understand in this instance, in particular, is that many institutions utilize third-party vendors that can have a detrimental impact on their data even if the consumer is as vigilant as possible.

BNY Mellon Shareowner Services

On February 27, 2008, Bank of New York Mellon (BNY Mellon) lost a box of backup tapes in transit to a storage facility that contained the names, addresses, dates of birth and Social Security numbers of 12.5 million customers. Connecticut Attorney General Richard Blumenthal said he was alarmed and deeply concerned at the time of the breach. Notification letters were sent to those affected in May and the breach had such a large impact the bank went on to hire more customer service representatives to handle the influx of calls from concerned customers. This is a reminder that if you are impacted by a breach, it is important to take the necessary steps to protect yourself.

Scottrade

In October 2015, retail stock brokerage firm, Scottrade, INC., disclosed that hackers had stolen client contact information and SSNs for 4.6 million customers. In an email notice sent to customers, Scottrade said that although SSNs, email addresses and other sensitive data were contained in the accessed system, they believed that only client names and street addresses were the focus of the hack. However, the company said it would offer those affected identity theft protection services “as a precaution.” At the time of the breach, federal authorities were also investigating similar thefts at other financial services companies. It is important for consumers to realize that even if a company believes that only certain records where the targets, any data that may have been compromised opens those impacted to much more risk than an organization may communicate in its notification.

Bonus Breach: First American Financial Corp.

In May 2019, it was reported that financial services corporation, First American Financial Corp., had been exposing a massive 885 million real estate and mortgage-related documents through its website. By simply altering a nine-digit record number attached to a transaction link, users were able to potentially pull up other transaction documents containing information such as names, phone numbers, addresses, driver’s licenses, Social Security numbers, bank account numbers and statements, mortgage and tax records and wire transactions receipts. In an update posted by First American regarding the financial, credit and banking data breach, the investigation only identified 32 consumers whose non-public personal information was likely accessed without authorization. This breach could have led to mortgage fraud where a hacker tries to take out a loan in the victim’s name as well as other types of fraud like title fraud.

As we recap the last 10,000 breaches, the ITRC hopes to help those impacted understand how to minimize their risk and mitigate their data compromises. If you have received a data breach notification letter, call us at 888.400.5530 or LiveChat to talk with a live-advisor on what you should do.

In our final 10,000 Breaches Later blog, we will take a look at some of the biggest education data breaches since 2005 and the effect they have had on children, parents and teachers. For a look at all of ITRC’s 10,000 breaches blogs, visit https://www.idtheftcenter.org/10000-data-breaches-blog-series/.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

10,000 Breaches Later: Top Five Military and Government Data Breaches

10,000 Breaches Later: Top Five Medical and Healthcare Data Breaches

10,000 Breaches Later: Top Five Business Data Breaches

A lot of data breaches are the work of highly-skilled hackers who use technical know-how to infiltrate a company’s cyber defenses. Others are not so elaborate, such as when a low-level criminal sends a phishing email to a company employee, one that contains a virus purchased on the dark web. While those two malicious scenarios involve different ability levels, there is a whole other possibility for data breaches, that being accidental overexposures. The Adobe account information leak followed a similar scenario.

When a company employee allows information to simply exist in a way that anyone can steal it, it is called an accidental overexposure. Unfortunately, recent news has demonstrated that far too many businesses are storing their sensitive data in cloud-based storage solutions, then failing to secure it.

As the recently announced Adobe Creative Cloud breach, leading to Adobe account information leaked shows, all it takes is uploading a few customers’ login credentials—or in this case, about seven million customers’ data—to a cloud-based storage bucket and then not switching the default setting of “no password required” to a password-protected option.

Security researcher Bob Diachenko and Comparitech discovered the database of emails, usernames and product selections online, available to anyone who stumbled upon it in their web browser. While some estimates show that the database was left exposed for about a week, there is no way of knowing how long it was visible. The experts who found it alerted Adobe, who secured the database that same day after Adobe Account information leaked.

Unfortunately, with such a common occurrence as this, there is really only one recourse consumers have. It is imperative that all tech users rely on strong, unique passwords for all of their online accounts, and that they change these passwords regularly. That way, if a database is left exposed and a nefarious actor discovers it, the password contained in the database will be useless because it is outdated.

Also, as the information contained in this breach event shows, learning how to spot spam and phishing emails is another way to protect yourself. With limited information such as this, scammers can easily send users emails that masquerade as communications from Adobe, even going so far as to list the exact products the recipients use. Be alert to this kind of tactic, and know how to protect yourself from emailed threats.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Hy-Vee Cards Stolen in Recent Data Breach Are Fetching a Higher Price on Dark Web Websites

Millions Of Venmo Payments Accessed Publicly

Best Western Open Database Exposes Government Records

Dark web websites contain a lot of stolen information, and that now includes Hy-Vee cards selling at unusually high prices. When an identity thief steals your information, you might be surprised to discover how little you are actually worth, at least when it comes to posting your data for sale on dark web websites. Hackers often fetch as little as $1 apiece for complete identities, largely because they can sell them to multiple people and because they often upload entire databases containing thousands of identities at a time.

However, a recent data breach shows an alarming departure from the ordinary. Hy-Vee stores suffered a breach in which customers’ credit card information was stolen, and these and other Hy-Vee cards are now appearing on dark web websites for as much as $17 to $35 each. What brought on such an unheard-of price increase?

First, these Hy-Vee cards are verified to work. Unlike phony cards or even ones that were stolen from your wallet, for example, this is a massive trove of card numbers that were used recently. If they were listed for sale on dark web websites before Hy-Vee was notified of a breach, then there would have been no reason for the cardholders to cancel them. Even if a client bought a hundred or a thousand sets of card numbers, some of the Hy-Vee cards should still be working.

Security experts say that credit cards have begun fetching a higher price overall recently, possibly due to the ability to use a credit card online before even paying the thief who stole them, just to prove they still work. From there, criminals use the cards to buy high-priced items that they can sell for a quick profit on dark web websites.

Remember, if you receive a data breach notification letter, it is important that you take it seriously. Follow the steps outlined in the letter and contact your credit card company immediately if your card was affected.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

California Improves Outdated Privacy Law with Biometric Protection

How Zombie Apps and Accounts Can Come Back To Life

Worst Places in the U.S. for Identity Theft

While data breaches of any kind are alarming enough, a business data breach that can leak information from an open database relating to national security can be very scary. For example, the Office of Personnel Management breach in 2015 leaked the complete identities, sometimes including background checks, fingerprints and even information pertaining to security clearances, for about 21.5 million people who work for or are related to an employee of the U.S. government.

A data breach of a hotel chain reservation system might not seem as significant as the OPM breach, but in its own way, it could be. Autoclerk, a reservation management system used by the Best Western Hotels and Resorts company, was the target of a breach of an open database that leaked names, addresses, birth dates, obscured credit card information, dates of reservations and even room numbers for thousands of people. In total, there are expected to be hundreds of thousands of individual reservations in the cache of data.

Hotel reservations might not seem that serious, but any data breach of government records is a notable event. It is especially troubling when many of these guests are military or government personnel traveling on official business. The information pertaining to locations, dates and names could prove useful to someone with an interest in it. The data from the open database contained past travel arrangements and upcoming scheduled trips for officials in the military and the Department of Homeland Security. The government records even reportedly included the names of officials who have scheduled trips to Russia and Israel, among other places.

What is worse is that the information from this data breach was discovered online with no encryption. Anyone who had reason to look for it could locate it and sift through its contents.

This is the kind of event that should serve as a wake-up call to anyone who uses technology. There is no such thing as a “foolproof” system that can keep every hacker out. It is up to individuals to do their part in keeping outsiders from finding out too much about their personal information and their activities. Protecting your information and your sensitive details should be paramount when operating any type of technology.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Popular VPN Provider, NordVPN, Breached by Hackers

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Facebook Lottery Scam Brings Attention to Hoaxes, Phishing Attempts and Account Takeovers

Many security-minded tech users employ a virtual private network (VPN) when they’re online as their own private tunnel on the internet. But, it could be a bit of a disaster if someone managed to break into a VPN provider’s servers and uncover what its subscribers have been up to. That appears to be what happened to one of the world’s most highly recommended providers, NordVPN.

The Impact on Users

In response to the NordVPN breach, the company has issued a statement following online speculation about a breach of its system. Apparently, someone gained access to an expired internal private key, which let them recreate one of NordVPN’s servers on their own system. Some sources have said that the only way this would have been possible is if the hacker had “root access to a container server,” which would have let them uncover a lot of information, but that has not been confirmed by the company. In fact, NordVPN’s statement indicates that no compromising information could have been accessed since the company does not gather, store, or sell its customers’ logs.

While the company assures its users that their login credentials and internet activity could not have been accessed, it’s important to understand that tools like a VPN are only an additional layer of protection. They’re not meant to be the entire fortress that protects your browsing or your identity. Interestingly, two other VPN providers have been mentioned in this same incident as having also been breached, but those have not been confirmed.

Protect Your Browsing

Obviously, VPNs are supposed to keep people from being able to see what you do when you’re browsing, shopping, using your financial accounts, and more. Also, they have a special feature that allows you to “reroute” where the internet thinks you’re logging in from. That means someone in one country can use a VPN and appear as though they’re logging in from another country; there are quite a few legal reasons why someone might want to do that.

As such, everyone from privacy-focused parents who want to protect their kids online to journalists who are reporting from deep within a dangerous zone might benefit from a VPN. Business users are especially likely to use one since they can help protect proprietary information, keep sensitive documents from leaking to the public, safeguard new projects, and more.

Keep Up Your Identity Hygiene

Protect yourself online and via mobile by locking down your identifying information, securing everything with strong passwords, and using two-factor authentication when you can. Remember, cybersecurity is often a leap-frogging game of catch-up; as new security tools come to market, hackers find new ways to break into them or abuse them. Therefore, it’s important that you treat all of your security measures as safety nets, not the sum total of your online protection.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

One Simple Way to Not Get Your Twitch Account Hacked

FBI Warns of Hackers Bypassing Some Types of Two-Factor Authentication

Are You CyberSmart? Majority of U.S. Adults Lack Digital Knowledge