Posts Tagged: ‘passwords’

Scam of the day – March 29, 2015 – Video gaming network Twitch hacked

March 28, 2015 Posted by Steven Weisman, Esq.

Twitch, a live streaming video platform has been hacked putting users in danger of identity theft.  Twitch,  which has been around since 2011 and was bought by Amazon in 2014 capitalizes in the exploding interest in video games and broadcasts video game competitions and other video game related content.  It is hugely popular.  Unfortunately, anything popular will be a target for hackers and identity thieves so it came as no surprise that Twitch accounts appear to have been hacked.  Twitch is retiring users passwords and stream keys as well as disconnecting accounts from Twitter and YouTube.


Perhaps the biggest threat is to Twitch users who, as many people do, use the same password for all of their online accounts.  Hackers often take advantage of this fact by hacking into websites with weaker security, stealing personal information and passwords and use that information to access accounts that can be exploited for greater financial gain.  The lesson, of course is to use unique and complex passwords for each of your online accounts.  This is not as difficult as it may sound because a good way to choose a password is to pick a phrase such as IDon’tlikepasswords, which combines both capital letters, small letters and a symbol, which in turn makes it a complex password.  Then add a couple of symbols to this base password so it reads, for example, IDon’tLikePasswords!!! and then uniquely adapt this password with a few letters that describe the specific account so, for example your Amazon account password would be IDon’tLikePasswords!!!Ama.  That is a strong password and a way to make unique, but easy to remember passwords for all of your accounts.

Scam of the day – March 13, 2015 – Latest developments in the Sony hacking and data breach

March 13, 2015 Posted by Steven Weisman, Esq.

Nine former employees who had filed individual lawsuits against Sony in December and January in response to the massive hacking and data breach apparently done by North Koreans have joined together to file an amended class action lawsuit on their own behalf and on behalf of a large number of employees and former employees whose personal information was compromised in the massive data breach.  Among the new information contained in the civil complaint filed by the former employees is reference to a September 2014 audit done by PricewatershouseCoopers that indicated that Sony did not do an adequate job of monitoring its systems.  The complaint when on to also assert that Sony has yet to contact all of its former employees to inform them whether or not their information was among that stolen.  The lawsuit alleged that more than 47,000 Social Security numbers were taken in the data breach including 15,200 from present and former employees who worked for the company as far back as 1955.


The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings.

The lesson to all of us as individuals is once again that we are only as safe as the places with the weakest security that hold our personal information.  It is also a warning to us all to limit, as much as possible, the places that do hold that information.  Many companies including medical providers, a particularly rich target of hackers recently, request your Social Security number as an identifying number although they have no real need for your Social Security number.  We all should resist providing our Social Security numbers to companies that request it unless they have  legitimate need for it.

Scam of the day – January 6, 2015 – iCloud security problem fixed

January 6, 2015 Posted by Steven Weisman, Esq.

The security vulnerability with Apple’s iCloud exposed by a hacker who calls himself Prox13 about which I reported to you just the day before yesterday has been promptly fixed by Apple.  According to Prox13, the vulnerability enabled a tool called iDict to be used to hack iCloud accounts effectively avoiding both security questions and two-factor authentication.  What was unusual about this particular vulnerability was that when “white hat” hackers find out about vulnerabilities in the various computer programs we use, they generally contact the company’s directly in order to assist in the orderly remedying of the problem without alerting “black hat” hackers to the vulnerability which they, in turn would be able to exploit.  Prox13 did not appear to be interested in using the tool for bad purposes, however, he went public with his discovery rather than contact Apple directly to warn them of the problem.


You may remember that the recent nude celebrity photo hacking dealt with iCloud, however, the fault, in those hackings was not with Apple, but rather with the individual celebrity iCloud users who did not take their own proper security precautions, such as using the very effective dual factor authentication, which would have prevented the hackers from gaining access to the celebrities photos.  This is also a good lesson to all of us to use complex passwords, strong security questions and dual factor identification whenever offered to protect our own security.

Scam of the day – June 23, 2014 – Duke University Press data breach

June 23, 2014 Posted by Steven Weisman, Esq.

Duke University has announced that its Duke University Press has suffered a data breach.  Although no financial information was stolen, usernames and encrypted passwords were stolen.  However even though the passwords were encrypted, it is not uncommon for sophisticated hackers to use software programs to decipher passwords that are not particularly strong.  This is just the latest hacking of an institution of higher learning.  In just the last four months, personal information on more than 750,000 students was stolen in data breaches at Iowa State University, University of Maryland, North Dakota University and Indiana University.


Again, the advice to follow, if you were a victim of the Duke University Press hacking is to change your passwords immediately.  It also is a good time to consider changing your passwords for all of your password protected accounts and making them strong enough to withstand hackers’ decryption software.  A good password will be a combination of lower case letters and higher case letters, figures and symbols.  In order to make the passwords memorable, you can use a phrase, such as “IDon’tLikePasswords**” you can also adapt the password to different accounts, such that you make your Amazon password “IDon’tLikePasswordsAMA**.”  In this way you can establish easy to remember, but difficult to decipher passwords.

Scam of the day – May 22, 2014 – The real danger in the hacking of eBay

May 21, 2014 Posted by Steven Weisman, Esq.

The online auction website eBay just announced yesterday that it had been hacked and customer’s names, encrypted passwords, email addresses, physical addresses, phone numbers and dates of birth of as many as 112 million customers were stolen.  At this time, it does not appear that credit card information was taken, but that is only of minor consolation.  eBay is urging its customers to change their passwords for eBay and, if you are one of the many people who use the same user name and password for all of your accounts, you should change your user name and password for those accounts as well.  If you are an eBay user, it is very important that you do this right away because it is already quite late.  Although eBay only discovered this hacking within the last couple of days, the hacking went on between late February and early March so hackers already have this information which they may be using themselves or selling on the black market to identity thieves.  eBay is already notifying its customers by email to change their passwords, but if you get such an email and it contains a link to change your password, I urge you not to click on the link because it may be an email from an identity thief posing as eBay through a counterfeit phishing email that appears to come from eBay and if you click on a link in the email, you may end up downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.  Instead, I suggest you go directly to the eBay website on your own and not through a link in order to change your password.

Even though the passwords stolen were encrypted, you should not feel too safe because if your password is not complex, there are computer programs that identity thieves use to break the encryption and gain access to your password.  Once they have that password and your user name, if you are one of the many people who use the same user name and password for all of your accounts, you are in serious jeopardy in regard to all of your online accounts including your online banking.


If you are an eBay user, go to the eBay website and change your password to a complex, but easy to remember password that includes a  combination of capital and small letters as well as other signs.  Something like “Idon’tLikePasswords!!!” would actually be a great password and easy to remember.  Also, make sure you use different passwords for each of your accounts so that when, not if, your password information is a part of a data breach, all of your accounts are not in danger.  Again, a good way to remember your password is to take the basic password and adapt it to the particular account, such as “Idon’tLikePasswordsAmazon!!!”  If you are an eBay user, you should be particularly vigilant because hackers have your contact information such that you are now more likely to receive personally adapted phishing emails which is called spear phishing by which the email you receive purporting to be from a company with which you may do business may be directed to you by name rather than “Dear customer” or the like.  As always, remember my motto, “Trust me you can’t trust anyone” and never click on links in emails unless you have absolutely confirmed that they are legitimate.  Also make sure that you have anti-malware and anti-virus security software on all of your electronic devices and keep these programs up to date with the latest patches.

Scam of the day – February 17, 2014 – Kickstarter hacked – the lesson for all of us

February 17, 2014 Posted by Steven Weisman, Esq.

Over the last couple of years I have often reported to you about data breaches at major companies who have been hacked.  The recent Target hacking although particularly large, was not particularly unusual.  Two days ago, Kickstarter disclosed that it had been hacked.  Kickstarter is a crowdfunding platform that helps creative people raise fund for their projects by appealing to the public for funds.  In the almost four years since it was launched, Kickstarter has helped fund more than 50,000 artistic endeavors.  According to Kickstarter’s CEO, no credit card data of its customers was compromised, however user names, email addresses, mailing addresses, phone numbers and encrypted passwords were stolen.  This information can readily lead to identity theft through a technique called “spear phishing” by which emails and text messages can be sent to the potential victims by name which may make them appear more legitimate.  These texts and emails lure people into either providing personal information under various legitimate appearing pretexts or by getting the victims to click on links or download attachments riddled with keystroke logging malware that will steal all of the information from your computer or smartphone and use it to make you a victim of identity theft.  In addition, people with weak passwords, such as  the popular”123456″ or “password” may have their Kickstarter encrypted passwords easily unencrypted providing access not only to the victim’s Kickstarter account, but possibly other accounts where the victim uses the same password.


If you are a customer of Kickstarter, change your password immediately and everyone who uses the same password for all of their accounts should change their passwords to unique passwords for each account.  You can get detailed information as to how to pick an easy to remember, complex password in my book “50 Ways to Protect Your Identity in a Digital Age,” but a simple rule is to use a phrase, capital letters, small letters and symbols, such as “ICan’tRememberit!!!.”  This is easy to remember and hard to break.  Also, make sure that you have the most current, updated anti-malware software and anti-virus software installed on all of your electronic devices including your computer, tablet and smartphone.

Scam of the day – March 6, 2013 – Evernote hacking danger

March 5, 2013 Posted by Steven Weisman, Esq.

Evernote is a popular on line service that helps you store notes, files, web pages and images on all of your electronic devices.  It has both a free and a premium service for which you pay.  Unfortunately Evernote is also popular with identity thieves as evidenced by its being hacked.  Evernote announced the hacking a couple of days ago.  According to Evernote, the hackers managed to steal the names, email addresses and encrypted passwords of its customers.  Evernote is confident that its encryption program will protect the passwords of its users, but only time will tell.  Evernote also stated that it did not believe that credit card numbers used by its premium customers had been accessed.  Again, however, premium users of Evernote should be particularly vigilant in monitoring their credit cards.  Despite its position that no passwords had been stolen, Evernote is requiring all of its customers to obtain new passwords.  The ONLY place to do this is on Evernote’s website at


Users of Evernote should be particularly wary of an identity theft tactic called “spear phishing.”  Spear phishing occurs when you get an email that lures you to a phony website or link where you either become victimized by providing information that is used to make you a victim of identity theft or causes a keystroke logging malware program to be downloaded when you click on the link or download tainted material that steals all of the information from your computer including bank account numbers, Social Security number, credit card numbers and other information that makes you a quick victim of identity theft.  What makes spear phishing particularly insidious is that unlike most phishing emails which never use your name, spear phishing is directed to you by name which makes many people more trusting of the email.  As I always say, “Trust me, you can’t trust anyone.”  Identity thieves will be contacting people by email posing as Evernote and telling them that they need to change their password by clicking on a link contained in the email or by providing other information.  Do not fall for this ruse.  Evernote is not contacting people by email, but the identity thieves who stole their email list will be.  The only place to change your password is  This is also another good example of the fact that your security is only as safe as the weakest place that holds your information.  Limit the places that do have personal information about you as much as possible.

Scam of the day – January 1, 2013 – Smart phone identity theft risks

January 1, 2013 Posted by Steven Weisman, Esq.

One new year’s resolution that everyone should make is to to take the steps necessary to provide greater security on their smart phones and other mobile devices.  As anyone familiar with my recent book “50 Ways to Protect Your Identity in a Digital Age” knows, identity theft is rampant on smart phones and other mobile devices as people who are careful to maintain the security of their computers fail to provide similar security protections on their smart phones and mobile devices despite the fact that many of us do many of our financial transactions on our smart phones and mobile devices and store much sensitive information on our smart phones and mobile devices such that if they are hacked into by an identity thief we are likely to become a victim of identity theft in short order.


Although there are many considerations in purchasing a smart phone, it is important to recognize that the popular Android has probably the least secure operating system and is most popular with identity thieves.  You should also make sure that your smart phone or other mobile device provides for encryption of your data and use this feature to protect your information.  All smart phones and mobile devices come with a host of features, many of which you don’t use.  For security’s sake disable those features that you don’t use to eliminate those features as an avenue for identity thieves.  Use a password to lock your smart phone or mobile device and make sure that the password you use is a good combination of letters, digits and signs.  The word “password” is a lousy password.  Pick one that is easy to remember, but difficult for a hacker to guess, such as “Safety1st!!!.”  The added digit and multiple exclamation points make this a safe password.  Look into remote storage of your smart phone’s information in the Cloud and make sure that you backup your information.  Check with your particular smart phone or mobile device manufacturer to see what security software programs they advise.  There are many free ones that work well.  These may seem like excessive steps to take, but they are not.  These steps will help prevent you from becoming one of the many people who will become a victim of identity theft this year.

Scam of the day – June 25, 2012 – Latest Facebook scam

June 25, 2012 Posted by Steven Weisman, Esq.

It is a relatively easy matter for someone to hack into the Facebook account of one of your friends.  The hacker then sends you a message with a link that you trust because it appears to be coming from one of your friends.  The link then takes you to a phony phishing page that appears to be a Facebook login page, where you insert your password to re-enter Facebook.  You have now turned over your Facebook password to the identity thief.  Once armed with that, the identity thief then has access to all of the information you have input into your own legitimate Facebook page, which often may have the information many of us use as security questions for services such as online banking.  Since many people make the mistake of using the same password for everything, you have now provided the identity thief with both your bank account password and information necessary to answer your security question.  At that point the identity thief has enough information to empty your bank account.


Use different passwords for different accounts and change them on a regular basis.  When determining security questions, consider whether people would be able to readily access the information necessary to answer your security question from information that may be available online.  Never click on links from strangers and never click on links from friends who may have been hacked until you have actually spoken to them to confirm that the link is from them.  Even then you should exercise caution because your friend may have unwittingly be passing on a link tainted with malware.  While on Facebook, if a link takes you back to a Facebook log-in page, immediately exit the browser.  Do not type your password in.