Posts

In what has become an alarming security trend, yet another company has exposed millions of consumers’ profiles online due to a non-password protected web-based server. Ladders, a recruitment site that lets users create a profile that can be shared with potential employers, was using an Amazon-hosted web server to store the profiles; according to a security researcher who discovered the information exposed online—and according to confirmation from the company—13.7 million of those users’ complete profiles were available to anyone who knew to look for them.

While the information didn’t appear to contain Social Security numbers, everything else that you might list in a job application was there. Names, email addresses, physical addresses, work histories, educational level, even whether or not the applicant had a security clearance and in what field were all available.

Fortunately, the information was discovered by Sanyam Jain, who works for a non-profit that specifically looks for overexposed information and reports it. There’s no way of knowing if anyone with malicious intentions got to it beforehand, though. After receiving the report, Ladders took down the database within a short time.

Incidents like this one continue to happen, largely due to poor password security. In far too many of the cases of accidental overexposure or data leak, the company who posted their information didn’t realize the default setting was “open” to the public.

For users of any platform, there’s really no way to prevent this kind of oversharing of their information. Other than contacting the company’s IT department, asking if they host their databases on web-based servers, and then asking if that server is password protected—all of which the IT department is probably not going to share with a member of the general public—there’s not much that individuals can do. But here are some actionable steps:

  1. Establish a secondary email – In cases like this, a spammer could download the database and target the users with spam and potentially harmful emails. If you’re establishing online accounts, you might consider setting up an email address that you only use for those purposes. However, in this case, it must be one that you can still check routinely since the purpose of the account was to be notified about job opportunities.
  2. Password security – Even if the other company doesn’t quite have their passwords nailed down, that doesn’t mean you can’t be safer with good password security. Never reuse a password or make one that’s too easy—remember, humans don’t sit and “guess” your password, but rather, software that can make billions of guesses per second does the job for them. Also, it’s a good idea to change your password from time to time, especially on sensitive accounts.
  3. Don’t throw in the towel – Even if it feels like your information is exposed every single day, that’s not the case. Data breach fatigue is a documented problem, but don’t let the constant news of poor security practices keep you from locking down your information as much as possible.

Of course, the Identity Theft Resource Center is here to help. Speak to an identity theft advisor for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

Imposter Scams Were the Most Reported Complaint in 2018

In New Scam, Criminals Pose as Government Pretending to Help With Identity Theft

Study Explores Non-Economic Negative Impacts Caused by ID Theft 

 

Identity theft and fraud can occur in many different ways, so it’s not something that any one person can fully prevent. However, there are a lot of things consumers can do to minimize their risk, starting with what might be the easiest step of all: password security.

The word “security” rarely means “easy,” but when it comes to implementing a strong, unique password, it absolutely is simple if you follow key guidelines. Strong passwords are those that contain a long string of characters, ones that include uppercase letters, lowercase letters, numbers, and symbols. It’s also important that the strong password does not contain a variation of your name, the website or company name, or easily guessed words or slogans.

Making a strong password might be the easy part, especially since many platforms now require you to use a certain number of characters, or remind you to include a number or symbol. The real problem for consumers is in reusing those passwords, in other words, not making them unique.

If you make a really great, strong password then reuse it on other websites, you may be no better off than if you’d used “password” as your password (like so many people actually do). A recent data breach incident involving Adidas US’s website serves as proof of that.

“According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords,” the company said in its announcement. “Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”

Once a hacker gains access to a trove of account information for millions of consumers—as may have occurred in this incident, which is still under investigation—any username and password combinations that were stolen can be used on other sites. The hacker gets your username (which is quite often your email address) and password from the Adidas breach then tries it on Amazon, iTunes, PayPal, Yahoo and Gmail, and popular banking websites. If you’ve reused your password, they just got in.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.