Recently, a top official in the U.S. Executive Branch announced their Twitter account had been hacked.
“Hacking” a Twitter account usually means the person’s email address and password were obtained in some other breach and the bad guys tried that combination on Twitter.
Account compromises occur daily in a world where every website requires some form of account username and password. Generally, websites (especially social media sites) require an email address as the username. If any of these websites are compromised or if you fail to recognize a phishing attack, then it is likely your email username and password have also been compromised.
If you have used the same email address and password on other sites, then your compromised credentials could be used to access other websites with the same credentials, potentially exposing any information concerning you within those sites.
Five steps
Here are some steps to help users understand how to protect your online identity if any of your account information may have been involved in a documented security incident.
1. Use multi-factor authentication (MFA) for websites – Wherever possible, enable MFA for any account on any web applications (and social media platforms) that allow MFA. Most MFA deployments will send a token to your email or your cellphone via SMS. Verify that your email accounts have not been compromised recently before using email to deliver the MFA token. (See #2 below.)
2. Regularly check (at least monthly) the haveibeenpwned website for each email account (both corporate and all personal email accounts) and phone number(s) assigned to you. This is a free tool that scans select websites where compromised information is able to be scanned and also reveals if your information has potentially been compromised.
Once you enter either an email account or your cell phone number, it will return any compromises where certain types of your information may have been disclosed by one or more attacks over the past several years.
Most likely, at least one or more of your personal email accounts will have been compromised in one or more incidents. Pay careful attention to the types of data exposed within each incident. If your password has been exposed in any of the incidents, it is recommended that you change this password on the affected email account and also within any other websites (or social media sites) where this same email and password may have been used to log in.
If the haveibeenpwned website shows that your Ballad Health email account has been compromised, see Step. No. 5 below. Make sure your Ballad Health password is uniquely and totally different from any passwords on any non-Ballad websites where you have registered using your Ballad Health email address as the username. Do not use any Ballad Health password on any vendor or business-related websites. If you believe your Ballad Health password is potentially at risk of being compromised (due to the same or similar passwords on non-Ballad Health websites), please take immediate action to change your Ballad Health password and submit a ServiceNow ticket to IT Security containing the details from haveibeenpwned.
3. Create a strong password – Strong passwords don’t necessarily have to be a string of numbers, letters and special characters that mean nothing to you. Most sites will now accept a string of characters and numbers, and some will allow spaces within the passwords. The term “password” has been replaced with “passphrases.” The longer the passphrase, the more difficult it becomes to guess. Most passphrases should be something that is easy for you to remember. (e.g., “Dad Okinawa 1962,” “VRBO at Murrells Inlet!” etc.)
4. Store passwords in some type of password vault – This provides secure storage of the passwords and helps you keep track of what passwords are used where. Several password vault types of software exist for download from the internet, but do your reviews before selecting your product, as several of these have subscription costs, after a free trial. Here are a couple of options:
- 1Password.com, a good password generation tool and also can be used to store these username/password credentials for each website (and social media platform). Subscription cost after 14 days.
- Most smartphones have also enabled password storage within their phone’s O/S. As long as your smartphones have adequate security protections, this is also a viable approach to storing your passwords.
5. Ballad Health policy requires users to ensure their Ballad Health password is unique. This means the Ballad Health password/passphrase is not the same as or does not resemble in any form any password/passphrase used on any personal email accounts, social media websites or website accounts.
Several account compromise incidents have occurred because a personal email account was similar to the user’s corporate account. Once the personal email was compromised, getting access to the corporate account was much easier for the attacker, due to the similarity of the personal and corporate account passwords.
Do not let yourself become a victim of password theft that also compromises your Ballad Health identity. Make sure to take the necessary steps to ensure your Ballad Health password is completely and totally unique from all other passwords.
Conclusion
By using these five steps, as a part of your continued cybersecurity practices associated with your on-line presence, the impacts from data compromise incidents (both personal and corporate data) can be minimized.
Thanks for taking the time to better understand the steps to protecting your online accounts!
