There has been a lot of talk in the security industry surrounding the recent data breach experienced by database marketing vendor Epsilon. As detailed in reports, the company’s email system was broken into, enabling the attacker to obtain information such as names and email addresses associated with Epsilon’s customers. Trend Micro researcher Rik Ferguson listed a number of the affected customers in his CounterMeasures blog entry here.
Last year, I talked about how users are not fully aware of the consequences of having their email accounts compromised as well as how such instances can lead to information and identity theft. I think the points I raised then are things that users, especially those affected by the breach, should fully understand. While this breach did not involve user passwords as well as email accounts, a number of risks still exists.
In many ways, our email account is like the backbone of our online profile. Regardless of how much we favor social media in terms of communicating (as opposed to email), most if not all social media channels require users to sign up for an email account before being able to communicate with others at all. More importantly, transactions related to online banking, online shopping, and booking flights or hotel accommodations online are all dependent on the user having a valid email account to which important information can be sent. Needless to say, email accounts contain valuable and personal information and should be appropriately secured.
Now, considering the nature of information exposed by the breach, its effect is quite comparable to an attacker getting a sneak peek of the contents of users’ inboxes. While the attacker cannot directly access the victim’s email account, they do know some of the types of email the user typically receives (in relation to whichever Epsilon customer the user is associated with). This places the affected users at greater risk of being victimized by many known Web threats such as spear phishing and spam attacks.
Under such circumstances, users—whether affected by the breach or not—are strongly urged to take action and to apply means to secure their email addresses as soon as possible. Steps to do so may include:
- Make sure you don’t use publicly available information in the password-recovery process of your email provider. It was mentioned that “only” names and email addresses were acquired by the attackers during the breach. However, this may not stop them from trying to break in to the email addresses through different means, one of the most likely being the password-recovery process.
- Do not reuse passwords for different accounts, be they email, social networking, or any other account. In relation to the first tip, if an attacker successfully breaks into the user’s email account, the attacker may try to use the credentials to log in to other accounts such as social networks in hopes of accessing these as well.
- Make sure your password is complex enough to prevent casual brute forcing, Change passwords regularly. Using brute-force attacks to break in to accounts is a technique commonly used by cybercriminals. Thus, using fairly complex passwords can provide added protection and can prevent attackers from easily breaking in to users’ accounts.
- Be extra cautious of email messages asking you to click links or to confirm personal information. Phishing attacks, particularly their email components, are crafted to appear legitimate and to persuade you to follow their instructions. A better alternative is to go directly to a trusted website and conduct your business there.
- Use a password manager to securely store passwords. This has the additional benefit of allowing you to use extremely complex passwords with all sorts of random letters, numbers, and symbols that you may not be able to memorize.
Most importantly, users should always follow online best practices. Bear in mind that similar threats are out there and are likely to appear again. Just when we think everything is safe, we may fall victim to yet another malicious scheme.