Posts

What is on your agenda for today? Go ahead and pencil in changing your Facebook passwords. This item does not need to be near the very top of the list, but it is certainly a good idea to put it on there and follow through.

According to a report by KrebsonSecurity and a follow-up announcement from the company, hundreds of millions of Facebook passwords were left accidently unencrypted. If you are not already aware of what that means for individual users, do not worry there is no evidence that anyone got your password. It just means that those passwords were “visible” in plain-text to anyone who was able to access the servers, which could include hackers—although there is no evidence of that—but certainly included numerous employees of the company.

In fact, Facebook seems to have traced the security issue back to project that centered on employee-created tools, apps, and features. Once the employees accessed the usernames and passwords for their work, those passwords were often stored in plain-text. Some of these employee-created copies of the login credentials—especially the passwords—go back as far as 2012.

Facebook has not released information on how many user accounts were visible or how many employees had access to the information, but KrebsonSecurity has details that put the number of employees at around 2,000—and those employees made approximately 9,000 separate data inquiries into millions of users’ login credentials.

This issue does not fall under data breach notification laws or protections, and Facebook is not recommending or forcing a password reset at this time. However, the social media site will inform users whose information was left potentially exposed, which is why it is important for the users themselves to be proactive about changing their Facebook passwords. There is no way of knowing if anyone other than the authorized employee accessed their information, and also no reason to assume that a company employee could not be the one to maliciously use or sell a large database of credentials.

“Password hygiene” has gotten a lot of attention in recent years, largely due to incidents like this one. If you secure all of your accounts with a strong password that you do not use anywhere else and that you change routinely, announcements like this one probably will not even be a cause for concern. However, if you use an easily guessed password, reuse your passwords on multiple accounts, and keep the same password for years, your risk of harm from a data breach is much greater.

Remember, to keep your online accounts protected:

  • Use a strong password that contains a long string of characters—eight to twelve letters, numbers, and symbols
  • Only use your password on one account
  • Update your passwords routinely, especially on sensitive accounts like email, social media, and financial sites

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Imposter Scams Were The Most Reported Consumer Complaint

Identity theft and security experts have warned for years that consumers need to stay on top of the latest news about scams and fraud in order to protect themselves. But there’s no need to keep those details a secret!

A retail employee in Illinois saved the day when she and other workers stopped a senior citizen from becoming the victim of a scam. The customer was trying to buy a high-dollar amount of gift cards to bail her grandson out of jail. According to the story, a far-flung police department had called her to let her know her grandson was in custody and needed $500-worth of gift cards to post his bail. Fortunately, she was prevented from buying the cards and called the local police department instead. Sadly, another customer wasn’t so lucky. She proceeded to buy the gift cards despite the warnings from employees.

Even worse, a Walmart employee in another state tried to be a good Samaritan and prevent a man from purchasing a $2,500 wire transfer to send to a scammer. The employee, who is now being honored by the company’s board of directors for her repeated help stopping other customers from becoming victims, was originally threatened with a lawsuit by the would-be victim since she put up some fuss about processing the wire transfer. Fortunately, once the police were called, the customer learned the truth and thanked the employee for saving him from a crime.

These examples illustrate a very serious issue: scam activity is on the rise and more consumers are sitting up and taking notice. However, as these real scenarios demonstrate, it can be difficult to intervene when you see something taking place, even if you’re certain something isn’t right. You don’t know how your help will be received.

So how do you put your knowledge of scams and fraud to good use and help your fellow consumers while avoiding any negativity? First, just know that no matter how your attempt to help is received, you were trying to do the right thing. Also, you can try this:

1. Spread the social word – Social media can be a powerful force for good, especially if the content you’re sharing is relatable and genuine. It’s tempting to forward every alarming hoax that pops up, but if you craft a sincere warning about scams and fraud, you just might prevent someone else from becoming a victim. Don’t forget to make your post sharable!

2. Host a fraud prevention event – There are a number of organizations that host awareness events throughout the year, but you don’t have to wait for a specific time. You can host your own get-togethers, community action meetings, senior center events and more, then use those as a time to help get the word out about different kinds of fraud.

3. Follow news from the Identity Theft Resource Center online – The ITRC has a Twitter account, Facebook account, weekly newsletter and many other resources that can keep you informed. Sharing their news is as simple as clicking a button. Helping others recognize a potential scam doesn’t have to mean putting yourself out there.

If you see a scam taking place, you can enlist the help of retail employees, store managers, law enforcement officers or anyone else who can stop someone from becoming a victim. No matter how you choose to help, just know that you’re working to make life better for others when you stop a scam in its tracks.


Read next: “Your New Medicare Card Could Lead to a Scam”

Securing Our Nation’s Critical Infrastructure Is Everyone’s Responsibility

In Week 4 of #CyberAware Month we’re emphasizing the importance of securing our critical infrastructure and highlighting the roles the public can play in keeping it safe.

A nation-wide pizza chain made news in 2018 by announcing a new contest: nominate your town for pothole repair. The very endearing marketing tactic asked customers around the country to explain why their town deserves a little roadway TLC in order to keep pizzas from bouncing around the car on the way to their tables. One winner would be chosen, and the chain would fund pothole repair for that city.

As fun as that sounds, maintaining and protecting our infrastructure isn’t a game, especially when it comes to the real threat of cyber attacks. These coordinated attacks can disable anything from our power grid, telecommunications and E-911 systems, water supply and sewage and more. Taking down even one of these vital utilities with a cyber attack would have devastating consequences while targeting more than one system could cripple entire sections of the country.

October is National Cyber Security Awareness Month, a project hosted by StaySafeOnline. This year’s theme is “Our Shared Responsibility,” and each weekly theme focuses on how consumers, businesses, and stakeholders can play key roles in protecting against hacking, data breaches, and other related crimes.

But how are members of the public supposed to prevent a large-scale hacking event that aims infrastructure? It’s one thing to update your home computer’s antivirus or log out of your sensitive accounts when you’re not using them, but those behaviors will hardly stop highly-skilled operatives from threatening a country’s water supply.

Or can they? Can the security behaviors you adopt prevent the next widespread cybercrime? StaySafeOnline certainly thinks so, and will offer crucial information to the public on ways that they can take an active role in securing our country’s infrastructure: “Our day-to-day life depends on the country’s 16 sectors of critical infrastructure, which supply food, water, financial services, public health, communications and power along with other networks and systems. A disruption to this system, which is operated via the internet, can have significant and even catastrophic consequences for our nation.”

One of the most obvious ways that consumers can protect these necessary resources starts with protecting their own networks. Your home computer, your smartphone, and your Internet-of-Things connected devices are all sources of potential vulnerabilities. If you’re in any way connected to the public utilities—even theoretically something as mundane as paying your electric or water bill online—it could result in fraudulent access to the utilities if hackers gain access through your computer.

By securing your own devices and networks first, you’re possibly preventing a cybercriminal from compromising your device and using that connection to gain access to a “bigger fish.” Third-party attacks, commonly associated with small businesses who have connections to larger corporations, are a recognized avenue of attack. The Black Friday data breach that affected Target in 2013, for example, was eventually traced back to a third-party vendor who worked on the refrigeration units for a small number of Target locations.

Safeguarding your own network and devices is always a smart thing to do, and it can prevent a lot of headaches for you down the road. In today’s connected digital climate; however, your own security steps just might protect us all.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

October is National Cybersecurity Awareness Month, and there’s no bigger “holiday” for those who work in information technology, digital safety and tech security. Okay, that might be a tiny exaggeration; However, it is safe to say this: cybersecurity professionals keep our internet and networks safe from hacking, data breaches, scams and fraud, and there simply aren’t enough cyberheroes doing the job.

Just in 2017, data breaches hit a new record high of 1,579 breaches, indicating a drastic upturn of 44.7 percent increase over the record high figures the year before. Fortunately, there’s never been a better time to pursue a career in computer security or data protection. The theme for week two of NCSAM is to highlight the intense need for highly-skilled, dedicated professionals who are interested in the landscape of modern crime and warfare known as our computers and the internet.

But who has the chance to become a superhero? Anyone! Only two years ago, there were an estimated one million unfilled jobs in the U.S. in the cybersecurity field, and that number is expected to be 3.5 million by 2021. There has never been a better time to consider this field, and there may have never been a more critical need than right now.

1. Middle school and high school – It’s never too early to begin learning about data breaches, information technology, cybersecurity and other tech-related subjects. Unfortunately, you’d be hard-pressed to find more than a few high schools even offering this type of course. There are some really dynamic online sources for teens, though, and the first step is simply to get students interested in the field and talking about the subject.

2. College and career – More and more colleges are offering cybersecurity degrees, and many of those schools even offer a fully online bachelor’s degree in the field (after all, you’re going to be working online a lot, you might as well earn your degree that way!). The programs have grown in number to the point that multiple sources have already ranked colleges’ and universities’ cybersecurity degree programs according to best value, best education, highest number of graduates working in their field and more.

3. Returning learners – For one reason or another, the average person changes careers between five and seven times during the span of their work life. Some of the reasons include better pay or benefits, more flexibility, a lack of opportunity in their previous field, or simply the chance to reinvent themselves after years in a fulfilling career. Cybersecurity is relatively new, it’s constantly evolving, it’s an incredibly high demand, and for some, it’s a job that a professional could do as a freelancer or from home. All of those factors make cybersecurity and information technology exciting possibilities for older, non-traditional or returning students.

No matter why you consider the cybersecurity field, there’s never been a better time to take on the challenge. It’s a widely recognized and highly sought after area of study while also serving the greater good and protecting the public. (The $100,000+ average annual salary doesn’t hurt, either.) If you’re looking for an exciting opportunity that can offer you variety mixed with longevity, talk to a college, university or career counselor about cybersecurity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Our Shared Responsibility Begins at Home

National CyberSecurity Awareness Month, an annual cybersecurity experience hosted by Stay Safe Online, has officially kicked off its 15th year. This October event, which brings together stakeholders from every level of online security, is geared towards everyone from top-tier cybercrime analysts to the most vulnerable everyday internet users. The goal remains the same each year: to ensure that the most up-to-date information on cybersecurity is accessible to all users and is at the forefront of their tech decision-making.

This year’s month-long theme is “Our Shared Responsibility,” but the focus of week one is how cybersecurity begins at home. Lessons on every aspect of our physical and emotional safety begin with those who care about us the most, and internet safety is no different. Creating an environment of secure internet access and understanding leads to life-long Cyber Aware users.

To know what lessons to impart, parents and other caregivers need to understand the changing needs for all users within the home. Young children might only enjoy a few minutes of screen time on a tablet with specifically chosen apps, while older teens gain more and more responsibility—and exposure—through social media, browsing, the “latest” app that everyone’s talking about, and more.

At every age and for every user in a household, the privacy and security pitfalls can change. That’s why it’s essential to remain in the know about the kinds of cybersecurity issues that different people may face:

  1. Young children – For most youngsters, it may be up to Mom and Dad to enter their information into an age-appropriate account, so it’s also up to the parents to understand what information they’re sharing, what permissions they’re granting, and where that information can end up. Understanding what kinds of data breaches have taken place in the past can also help, such as the VTech breach or ones involving public schools and doctors’ offices.
  1. Preteens and Tweens – Every generation has thought that kids were growing up too fast these days, but when it comes to technology—especially unsupervised access to it—that may be truer now more than ever before. The average age for US kids to get their first smartphone is now ten years old, and that can mean unprecedented access to the internet, downloadable apps, social media, and more.
  1. Teens and Young Adults – One of the most commonly associated cybersecurity issues for young adults is probably cyberbullying, especially on social media, but that’s just one of the many dangers this age group can face. While it’s important to discuss proper behavior online as well as what to do if they’re targeted, it’s also vital that parents discuss scams, fraud, identity theft, hoaxes, and more. One staggering statistic, for example, has shown that senior citizens may be more likely to be targeted by a scammer, but Millennials are the ones who lose more money to online scams and fraud.

No matter what age your family members may be, NCSAM is an excellent time to explore your privacy, security, and overall digital safety.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

One of the great mysteries of social media—apart from why people need to share photos of their dinner—is what makes someone post false information without hoping to gain from it. These hoaxes sometimes end up going viral and taking on a life of their own, and the original sender only gets a little temporary boost in their visibility online.

There have been a lot of Facebook scams over the years and more than a few hoaxes, too. The key difference between the two is that scams and fraud seek to steal your identity, your money, access to your computer or account or some other criminal gain. Hoaxes, on the other hand, seem to only bring joy to the creator when they watch how many people share the misleading or false information.

A recently reported double-hoax playoff of changes to Facebook’s algorithms, while also requiring the “copy-paste” behavior to make it spread. Earlier this year, Facebook announced that it would adjust what types of posts and content showed up in your feed to make less relevant, commercially-based posts appear less frequently. It didn’t take long for people to assume Facebook was censoring posts and blocking some of your friends.

This hoax takes that fear to a new level and urges participants to “sneak” into a separate Facebook news feed, accessible only by copying and pasting their message into a new post. The message specifically states that you will be able to “bypass” Facebook’s algorithms and see posts from friends you haven’t heard from in years.

Unfortunately, it’s not true. There is no secret backdoor Facebook newsfeed hidden beneath fancy computer code, and copying the message to share with all of your friends will only highlight the fact that you  fell for a phony message. Sadly, engaging in comments to inform your friends that their post is a hoax will have the same engagement effect and cause the hoax to continue to spread.

Whenever you come across a social media hoax, it’s better left untouched. Don’t click “like” or any of the angry/frustrated emojis, don’t comment on it and don’t share it, even accompanied by a message that warns people of the hoax. Any engagement you give it simply gives it more visibility and power. If there is anything dangerous or compromising about the post that could lead to loss of money or data, try to message the person who shared it privately and explain the issue.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Social media has changed the way people interact with each other in both good ways and bad ways. It’s amazing to connect with people all around the world or to find a long-lost classmate from seventh grade. It’s something else altogether, though, to find yourself in a compromising situation because of something you posted online.

One of the more recent features of different social media sites like Facebook, Instagram or Twitter is the ability to broadcast live video to your followers. This feature can be fun and entertaining or even educational, but if you’re not sure how the platform works or what kind of surroundings you’re broadcasting from, you may be unhappy with the results.

1. How long is my video accessible, and who can see it? – Those questions depend on the platform you’re using. Twitter’s Periscope or the Meerkat platform, for example, are available to anyone who chooses to click on your name. Facebook Live can be limited, meaning you can broadcast to everyone or just to your friend’s list. Instagram Live, though, is by default set to allow anyone to see your video; you have to adjust that setting yourself if you want to keep it private.

As far as how long the video is available, there are key differences you should know before you press the button to go live. Instagram Live videos are gone the moment the camera turns off, but Facebook Live videos can repeatedly be viewed and at a later time.

2. What’s going on around you? – You’ve probably seen some viral videos with hilarious background images, such as an adorable wedding couple sharing the first kiss during their beach ceremony only to have a man in a tiny swimsuit standing behind them. It’s not so funny when the visible area behind your video contains anything incriminating, illegal or simply embarrassing.

Remember, depending on the platform and the settings, you might not control who can see your video. If anything behind you is a dead giveaway for your location, any of your identifying information or even the answers to typical security questions (i.e., posting a video on your birthday and mentioning it), you might be sharing far more than you intended.

3. Is this content allowed? – Each platform has regulations for what is and isn’t permitted, and it’s up to you as the user to know what they are. Obviously, behavior that violates copyright—like broadcasting live from a concert, movie, or other ticket-holder events—is a no-no; even if you don’t necessarily get in trouble, it’s still theft, and it’s wrong. Broadcasting live for anything other than journalistic reasons from a crime in progress can also land you in hot water with both the platform and law enforcement.

If you want to go live on social media, you need to be smart. Know how your platform works, understand your privacy settings and surroundings, and make sure it’s approved, beneficial content… then smile for the camera and enjoy!


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

For years, fraud experts have warned consumers about phishing attempts that try to steal money and identifying information. As people have become more aware of the threat, scammers have had to up the stakes in order to trick users into downloading malicious content to their computers or hand over their sensitive information.

One common approach is the “there’s something wrong with your account” email. These messages appear to come from a well-known company. It might claim your account has been suspended due to strange activity, an order you placed (or possibly didn’t place) is not shipping due to a problem with your credit card, or any other plausible scenario. The goal is to get you to click the link and submit personal information, such as login credentials, passwords or credit card info.

So how is a company supposed to inform you when there really is an issue with your account? A good example may be the one below:

The email informed the recipient of the need to take action on their account by exiting the message and logging in to the account themselves. Rather than the common ploy of having the victim click a button that supposedly redirects to their account, this message plays it safe: Leave this email, go to your account, login for yourself, and make sure your information is accurate.

Also, further below, there is a support number to call for help. That can be indicative of a scam, though, so beware; numerous scams have included phone numbers to call that simply redirect to the scammers, so anyone receiving this email should verify the phone number before calling. However, the information the recipient needs is laid out quite clearly in the email, and hopefully, no further support is even required.

At first glance, this email could look and sound just like any other phishing email, but the difference is in the action the recipient is to take. Instead of falling into a potential trap, the reader is only told to do the very same activity they would do if they had not received the message, namely, log into their account and make sure their profile is up-to-date.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.