Posts

A recent discovery on an internal message board may be a little unsettling: according to Politico, who discovered the internal memo and first wrote about the incident, the U.S. State Department’s unclassified email system suffered a data breach. This event affected only one percent of the organization’s 69,000 employees, but while the classified email system was not affected, the State Dept acknowledges that the impacted employees’ personally identifiable information may have been compromised.

Events like this one are happening with alarming regularity across every kind of business or agency, leading to record-setting year-over-year numbers of data breaches and compromised consumer records. While the State Department’s investigation of the incident is still underway, the internal memo did cite the need for better password security among employees.

Password security is an issue that plagues users at every level and in every industry. There are even websites that track the most commonly used passwords—discovered as a result of data breaches and stolen account credentials—and unsurprisingly, things like “password,” “qwerty,” and “12345678” still top the lists. Of course, a weak and easily guessed password isn’t the only issue; reusing passwords on multiple accounts leads to fraudulent access too. If a hacker uncovers a database of stolen logins for social media accounts, they can access any other accounts that reused those same usernames and passwords.

The U.S. government has been urged to take extra precautions when it comes to cybersecurity, largely due to the fallout and the resulting legislation from the Office of Personnel Management breach that began in 2014 and continued into 2015. Millions of government employees’ complete identities were stolen, along with identifying information for other people connected to those employees (i.e., family members, former employers).

The event sparked the Federal Cybersecurity Enhancement Act, which was signed into law in 2015. It required federal agencies to take more preventive action to reduce the threat of cybercrimes, and to report on their actionable steps. Unfortunately, those security steps have not been implemented across the board. Several U.S. Senators issued a letter to Secretary of State Mike Pompeo earlier this month, expressing their disappointment that the organization has not followed through on enough of the recommended security measures.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Is Your Bluetooth Tracking You?

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Reddit is a popular-but-controversial website dedicated to forum threads and messaging groups. Think of it as a giant bulletin board at the end of your driveway where anyone can post a new discussion topic, others can respond, but only a handful of people whom you’ve chosen are allowed to come up to the door and talk to you. Unfortunately, the highly anonymous nature of Reddit has allowed it to become a breeding ground for discussions that range from “how to bathe a poodle” to “where to buy illegal items” and other dangerous content.

Reddit has now disclosed that it suffered a data breach in June, and that login credentials were stolen for everyone who signed up for an account before May 2007. A separate compromise at the same time also accessed all of the daily digest emails, which presents a different kind of privacy problem.

The website is one of the largest in the world, so a hacker who pulled off this feat already gets to brag a little among his cybercriminal contacts. However, what sets this one even further apart is that the hacker was able to bypass two-factor authentication to gain access to employee credentials.

Two-factor authentication is an additional layer of security that denies you access to an account until you have two methods of logging in. It might be sending a one-time use PIN number to your phone, for example, which you need in order to log in alongside your username and password. It may also be answering security questions or providing other details to verify your identity.

Given the highly controversial nature of some content on Reddit, the company’s employees were required to use two-factor authentication in the form of an SMS message, or a text message as it’s more commonly known.

Somehow, the hackers intercepted those text messages and were able to log in under the employees’ stolen credentials.

First, the dire warning to the tech community: don’t be fooled into thinking that two-factor authentication will absolutely keep someone out. Yes, it’s been a great shield so far, but this demonstrates that it can be cracked. Previous data breaches that have leaked cell phone numbers may be to blame, as a hacker can port that number to an additional handset and intercept SMS messages.

Next, for Reddit users: the anonymity that you’ve enjoyed so far may be at risk. The hackers accessed the daily digest subscribers’ emails, so if you’ve subscribed to any Reddit subgroups that are topic-specific—especially ones that could have personal consequences if other people found out—there’s a chance your email address could be shared. If your email address has also been used to log into Reddit and post inflammatory, sensitive or otherwise extremely private content on Reddit, it is possible for the hackers to connect those dots and make that information public.

Reddit will undergo a forced password reset for accessed accounts, but it’s a good idea to log in and change it even if you don’t receive notification from Reddit. Also, if you’ve reused a password from Reddit on another account, you should change that one as well.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.