Yesterday, two significant data breaches were reported. Westpac disclosed that about 100,000 people had private data leaked through an attack on the recently PayID system and the Australian National University (ANU) said that the personal data of about 200,000 current and past students was accessed late last year and detected just two weeks ago.
The impact of these breaches is significant and a reminder that good cyber-hygiene is essential.
There are lots of things you can do to protect yourself if your data was accessed by a bad actor in one of these breaches. But I want to focus on the one thing we can all do; protect your user accounts with strong passwords and multi-factor authentication.
Always be vigilant
The ANU attack wasn't detected for about six months.
That might sound bad but it's about average when looking at most of the security reports that are released annually. So, your data may already be accessed by bad guys - you just don't know it yet. That's what you should always be vigilant and protect your user accounts.
Setting strong, unique passwords
It's pretty crazy to be saying this in 2019 but you really need to set a strong password or passphrase as a first protective layer on your user accounts.
Those passwords should be unique for each service you use so, if the password you use at one place is stolen, it cannot be used elsewhere.
Bad guys steal passwords from one place and then use them to attack others. A good example of this is that when Dropbox was attacked a few years ago, the bad guys used an account that was stolen in a LinkedIn breach.
Always use 2FA or multi-factor authentication
And, while SMS tokens aren't perfect - they're vulnerable to SIM-swap attacks - they're better than nothing.
Use a password manager
I took a look in my password manager the other day and found there were over 600 accounts stored in it over the years. There's simply n way I can remember that many passwords without taking shortcuts.
A password manager will help you with all those unique passwords and generate passwords that are hard to crack and you'll probably never see, much less remember.
The best password is one you don't know. A good password manager will handle that for you.
If your data was accessed in a breach
If your data was accessed in one of these or some other breach, it's time to change passwords on important services. Even if you don't use the same password across accounts, the data from the ANU breach, for example, could be used to create a fake ID or fool someone into allowing access into an account.
For example, a stolen phone bill is all that's needed to steal a mobile phone number, and then start intercepting SMS codes for your user accounts.