WordPress.com was hacked, it was announced yesterday. They are still conducting an investigation as to the extent of the hack and what data may have been compromised.
They recommend some preliminary measures to take like changing passwords, don’t re-use passwords on different sites and use a password manager.
All of which are good, necessary measures to protect yourself.
This is what I recommend you should do to protect yourself:
1. Change your username and/or email address in addition to changing your password
2. Generate new API keys for Webmaster Tools if you use them.
3. Check your settings to see if there is data you don’t recognize (like links to malicious ads)
4. Be aware of suspicious emails or SMS sent to you in the next few months, especially those asking you to reset passwords. Your phone numbers and e-mail addresses may have been exposed, .
5. If you use the hosted version of WordPress and you use the Jetpack feature you should reset your password as it requires you to create an account on WordPress.com
WordPress.com has calmed a lot of customers down by being transparent about the initial incident in their blog post. Hopefully they continue their communication after they’ve conducted their investigation.
Take note that having on a blog on WordPress.com is different than having your WordPress blog hosted on Go Daddy, Dream Host, Media Temple etc. etc. Read more about the differences between WordPress.com and WordPress.org.
I would check back on the WordPress.com blog and look for any updates.
The comment section also provides good insight as to the customer sentiment and additional details provided by WordPress.
I recently saw a post on Twitter where someone extolled their love for the password manager software they use. They also mentioned the information that was stored in it, the type of information that is the secret sauce to a person’s identity: user names, passwords and banking information.
While I think the use of password management software isn’t entirely a bad idea (as long as you have other defenses in place), I do believe it’s a bad idea announcing WHAT YOU USE to store the recipe for your secret sauce, particularly when it’s on a social networking website, for everyone to see. That’s akin to announcing to the whole world the name and model number of the safe I use at home, what’s stored inside and where it is. But I’m still using a safe, so I’m secure right? No!
Posting critical information like that to a social networking website will make you a likelier target for hackers. It will be easy for them to build a profile of people based on their blog, Twitter and Facebook accounts, then plan a social engineering attack. The attack may come in the form of gaining your trust, then sending you a malicious file for you to execute. A general search of 1Password or Keepass on Twitter, will show you lots of users who are using the software.
While the secret sauce maybe encrypted, if a computer is infected with a trojan horse that has key logging features, the encryption no longer protects you and it becomes a moot point. If you don’t keep your operating system up to date, use anti-virus and a firewall that just makes you even more susceptible to your secret sauce being revealed.
The other question to ask yourself is, where do you store this information? Is that encrypted file on a laptop or desktop? What if the laptop is lost or stolen? Hopefully there is a back up. And a back up of that back up.
Rule of thumb: The more information you reveal about your computer’s defenses, the more vulnerable you become.
What concerns me, is how easily this lack of knowledge is spread via Twitter, and it will give people who aren’t as technically savvy, the wrong idea. I can guarante a lot of people will try out the password manager but forget to do everything else, like update their browser, anti-virus, operating system and install a firewall. If that’s the case, they will have all their eggs in one basket, and be ripe for the picking.
Title sounds ridiculous doesn’t it? But it’s true!
I’m sure by now, everyone has heard how Sarah Palin had her Yahoo E-Mail account illegally accessed during the 2008 US presidential election campaign. The account was accessed by providing the correct answers to security questions presented by the password retrieval system on Yahoo E-Mail.
I won’t focus too much on the details of what happened, instead I want to focus on how this applies to everyone else.
The key take away is, this can happen to anyone. In this case, the so called ‘hacker’ wasn’t even the typical hacker you usually hear about. According to the article, he lacked in-depth knowledge about computers. All he had to do was search the Internet for the information.
You’re probably reading this thinking this could never happen to you. If you use either Twitter, Facebook, LinkedIn, discussion forums, or any other form of social networking, then think again.
Why? Because social networking sites contain a wealth of personal information about you and that information could potentially be used against you, the same way it it was used against Sarah Palin.
For example, in the article, one of Sarah Palin’s security questions asked her her birthday. David Kernell found the information on Wikipedia. While we aren’t all as famous as Sarah Palin to have a Wikipedia page, the same type information could be easily gleaned from Twitter or Facebook. Some people even announce on Twitter that it’s their birthday! Thanks!
Obviously, the one piece of information (the birthday) is likely useless on its own, but armed with other pieces of information, anything is possible. In this situation, public information was used to view a private e-mail account by answering security questions meant for retrieving a lost password.
So what are the lessons learned to avoid this bad situation?
- Always use a FAKE answer to the security questions that are part of any password retrieval system on the Internet.
- Never provide a security question with an answer that could be taken from social networking websites.
I’m not trying to say people should stop participating in online social networking. I’m just saying people just need to be careful about what information they post online. They need to think about how that information could be used against them, now or in the future.