4. Have you been hacked?
Data breaches
A data breach happens when personal information is accessed, disclosed without authorisation or is lost.
Source: Data breaches by the Office of the Australian Information Commissioner.
Examples of data breaches
CSO Australia has tracked the18 biggest data breaches of the 21st century (dated 12 Sep 2024). They include:
- Yahoo, 2013, 3 billion accounts
- Aadhaar, 2018, 1.1 billion of identity information
- Alibaba, 2018, 1.1 billion of user data
- LinkedIn, 2021, 700 million users
- Sina Weibo, 2020, 538 million accounts.
- National Public Data, 2023, 2.9 billion records
The Office of the Australian Information Commissioner publishes statistics on notifiable data breaches.
Stopping data breaches
It is up to organisations and their employees to reduce the risk of data breaches occurring.
Data breaches: How they occur and how to prevent them has information and tips on how to prevent data leaks at UQ.
As an individual, you can reduce the impact a data breach will have by practising sound password and account management such as using secure passwords and two-factor authentication (this is covered later in the module).
Check if your data has been breached
Have you been pwned?
Check your email address on Have I been pwned!
It will tell you if websites associated with your email address have been breached.
This site was created by Troy Hunt, an Australian who works as a Microsoft Regional Developer. The site has an About section and an FAQ section explaining how the site works, along with information on it’s history and purpose.
If your email is connected to a security breach, and you reuse passwords for multiple sites, you may be at risk.
Groups or individuals will take large numbers of email addresses and associated passwords and start trying them on major websites like Facebook, Gmail, Instagram etc. They try these email and password combinations to get access to the accounts of anyone who uses the same password across all websites.
Recommendations:
- Don’t use the same password everywhere
- Be vigilant in checking your account security regularly
- Don’t use the same password for extended periods of time (2+ years).
The UQ Information and Communication Technology Policy states that if your password is less than 12 characters you should change it every 12 months.
How hacking happens?
Data breaches can occur in a variety of ways, but the common element is someone gains access to a database of user information and either steals or copies and then sells or releases the data.
Brute force
Brute forcing in its simplest form is someone typing in a password of aaaa, aaab, aaac etc until they find the right combination. With today’s technology, a computer can check over 1 million password combinations a second. A lot of websites restrict how many passwords can be tried in a certain time frame before the account is locked or temporarily suspended.
When hackers breach a collection of users’ information, what they find and steal usually isn’t stored in plain text on the system. Instead, the cache of passwords is often converted into cryptographic hashes, random strings of characters into which the passwords have been transformed to prevent them from being misused. It is these hashes that are brute forced to reveal your username and password.
Interested in learning more, check out this article from Hive Systems – Are your passwords in green? (updated for 2024) on how to make more secure passwords.
Stopping brute force attacks
You can make it take longer to brute force your password by increasing the length and complexity of your password.
‘Abcdefghijklmnopqrstuvwxyz’ may be long, but it is not complex.
Most password cracking software uses what’s known as a dictionary attack to check popular words or phrases first, such as abc123, trustno1, drowssap, password123 etc
Social engineering
Social engineering can be an effective method for some individuals to access a variety of accounts. Social engineering is the manipulation of people so that they give up personal information about themselves or others. This personal information is then used to access systems the person uses.
What is Social Engineering? (YouTube, 2m4s):
How to avoid social engineering
- Avoid having all your eggs in one basket (or the dreaded “single point of failure”):
Do not use the same email address for every site or service you use online. The more intertwined and dependent your accounts are the more widespread the damage a security breach can cause you. For example, don’t use your Gmail address for every service’s password recovery option. - Use different logins for each service:
Never use the same password more than once. And make sure your passwords are strong. - Use two-factor authentication:
After you have entered in a correct username and password you are prompted to confirm your identity in another way - Get creative with security questions:
The additional security questions websites ask you to fill in are supposed to be another line of defence, but often these questions are easily guessed or discoverable. You can shift the letters in your answer or use your own special coding system to make sure only you know those security answers, for example pordwass. - Frequently monitor your accounts and personal data:
To be on the lookout for both identity theft and credit card fraud, check in with your account balances. You can use Google Alerts to check if your details have been posted online anywhere. - Avoid falling victim to phishing emails:
Phishing emails are becoming harder to detect, and easier to fall victim to.