Huge online attacks, such as the recent Adobe break-in, bring to mind a pressing question: What should we do if our credit-card data or sign-in credentials are stolen?
Plus, what steps will help minimize future exposures when large corporate sites are cracked — as they no doubt will be — by malicious hackers and cyber thieves?
A real-life experience with data theft
Let’s start with a potential worst-case scenario, as related by a Windows Secrets reader. To protect his privacy, I’ll call him KP. He was among the three million Adobe customers whose sign-in information — and in some cases credit-/debit-card data — was stolen in the recent, highly publicized breach of Adobe’s servers (more info).
Being victim in the Adobe theft was bad enough, but KP (and many, many others) used a practice that made things even worse: he reused the same username and password on many different sites. This meant that the one theft from Adobe instantly compromised his security at every other site where he used the same sign-in info!
Here’s the note he sent:
- “The thieves who robbed Adobe’s data now have the username and password I’ve used on many sites. I’ve changed my password on the accounts I remember using, but I’m sure there are many accounts I’ve forgotten about. I’m now at risk of fraud on those accounts.
“I know that I should use a separate password for each account I set up, but that’s just impossible.
“Is there anything I can do? Help!”
Yes, there’s lots you — and everyone else who has sensitive data on webservers — can and should do, both when involved in a data-theft incident and as a general policy.