A list of nearly 5 million Gmail email addresses linked with passwords were leaked on a Russian Bitcoin security forum this week, but Google says not to worry. According to this article from Forbes.com, “There’s speculation that the addresses may hay been stolen from other sites where people used their Gmail address as a log-in. Google itself says less than 2% of the leaked address-password pairs were current for Gmail.” That still means that 100,000 Gmail users need to change their password and if you are one of those users, Gmail will contact you.
Google users concerned that their password has been stolen are advised to avoid typing their username and password into any website that claims to offer help determining whether or not your identity has been compromised. This method, known as a “honeypot,” is frequently employed by cyber criminals to steal even more identifies after a large security breach. Similarly, other websites are distributing phishing messages claiming to offer help.
Users can, however, sleep easier tonight if they simply do the following:
- Change your password. Make sure you’re using a strong password unique to Google.
- Update your recovery options, so Google can reach you by phone or email if you get locked out of your account.
- Consider 2-step verification, which adds an extra layer of security to our account. With this security feature, in addition to knowing your password, one must also have your cell phone in their possession in order to log in. Google’s 2-step verification (known as “two factor authentication” in the security business) will send a text message to your cell phone when someone attempts to sign-in. The text message includes a unique 6 digit code which must be entered to complete the sign-in process. Two factor authentication dramatically reduces the likelihood that someone will successfully access your account.
We blogged recently about recent leak of private nude photos celebrities stored in Apple’s iCloud. This embarrassing incident could have been prevented with two factor authetificaiton and the use of complex passwords.
A few final tips for healthcare organizations:
Educate your employees through Security Awareness Training about the steps they can take to help minimize the organization’s risk of a breach. Employees who are familiar with the techniques cybercriminals use are less likely to inadvertently cause a breach by falling victim to these schemes. Eagle offers a Security Awareness Training program can be scaled to meet the needs of your organization that includes simulated phishing messages combined with education for those who “take the bait.” Employees are more likely to take security seriously if the fully understand the risks associated with each type of criminal scheme, from identity theft to cyberespionage.
Update your Computer Usage Policy to insure that employees are not sharing passwords, not using passwords across multiple websites or software programs, and are changing passwords at least every six months. Another good tip is to avoid the practice of using “security questions” as an authentication method for password resets – the answers to these common questions are easy to locate for anyone who tries hard enough.