More Com-Pro-Mi-zes

Seriously?

• Mass hack attack on Yahoo Mail accounts prompts password reset -Ars Technica
• ISC Diary | Attack on Yahoo mail accounts - SANS ISC Diary
• Yahoo Mail compromised -- is nothing safe anymore? - Beta News
• NullCrew FTS hacks Comcast servers, post exploit and passwords - ZDNet
• Change your passwords: Comcast hushes, minimizes serious hack - ZDNet
• Kickstarter hacked, no credit cards compromised but your Facebook login has been reset - iMore
• Kickstarter says it’s been hacked and urges users to change passwords - Ars Technica
• Kickstarter is the latest hack victim -- regains control and issues belated apology - Beta News
• Kickstarter Hacked, Change Your Passwords Now - Lifehacker

Account data breaches can happen all kinds of ways. Troy Hunt picks about some ways Tesco’s breach could have been pulled off:

Troy Hunt: The Tesco hack – here’s how it (probably) happened

Just a few tips:

1. Use a good/free password manager to generate complex, strong, long random password strings (like this one you can have for free: €&ÖTÒC²ÿ­¦Aì:ÿ±ØF3`¹æ„åB£/¸4ö»„R+Üb"j9Ħ)  And use a different one for each online account. I personally recommend the free KeePass Password Safe but there are tons of great, free, open-source ones out there for the choosing.
2. If you have smartphone, you can often share that database across platforms to make it convenient. MiniKeePass (for iOS).
3. Don’t use your actual personal information (birthday, favorite things, actual/true answers to security questions); a password keeper can help you keep track of what answer you used. This way if those responses get hacked for the world to see, they can’t be used against you on other sites.
4. Use a different email-address to register for each of your “core” high-security/high-value account web-sties. Many online accounts use/require an email address for the account name. If one account gets breached, they won’t be able to use it on other accounts. Most email clients (and some online email services) allow you to pull emails from more than one email account. That would let you aggregate all these different email addresses into one place.
5. Log into websites with your account using your browser’s “Privacy/Private-browsing” mode.
6. Log out of your account when you are done doing your business.
7. Sign up one or more of your user-name/email addresses over at Have I been pwned? to proactively monitor for account breaches. Unless you are engaged in the security news industry, a number of critical days might pass before you hear on the mainstream tv/radio/internet news channels of a breach. If you hear it from the pros first, then you have a jump on getting your account credentials changed before someone uses/buys/abuses them. At least that’s the theory.

Be safe.

--Claus Valca