It’s ironic that the leak occurred through a hack of one of their employee’s Github account, and that if the employee had enabled two-factor authentication, the leak would not have happened.
One of the key things to point out is that this wasn’t much of a hack either, the account was secured with a very weak password, along the lines of “admin”, and as a result the culprit just guessed the password and gained entrance.
Learn more about two-factor authentication in our comprehensive guide!
While it is unfortunate 8tracks was attacked (it’s an excellent service), there are some key lessons to be learned here:
1) Not only big names get hacked
Hackers target any vulnerability through any website, and no website, online service, or app is exempt from security threats. Businesses that offer services through a web app or mobile app must offer 2FA.
In this day and age, one of the most common ways to obtain crucial information on a person is via social engineering, by which a detail of your person is used to access additional information about you, ending up in obtaining access to your utility services, bank accounts etc. And it all starts with a single piece of information, say your date of birth, that could easily be obtained from an account such as your 8tracks one. Hence it is crucial to protect any piece of information, on any account.
2) Secure your social accounts with 2FA
8tracks mentions that users who used Facebook or Google to authenticate are safe from this incident. However, this is misleading, as 40% of all breaches involve social engineering (according to Verizon’s 2017 Data Breach Investigation Report.) If you’re using Facebook, Google, or any other social identity to authenticate with multiple services, you’re putting all your eggs in one basket, so enable 2FA on all social accounts.
Otherwise, all a hacker needs are your email and password (which is inherently weak) to log into Facebook, then everything else. And if you have no 2FA and an open Facebook account, they can reset your password with a few bits of information (such as your date of birth and who you take pictures with most often, where you went to school, etc.).
3) Passwords are weak
Hashing and salting passwords is a great practice for the service once the password is stored, but your password is already insecure by then. Using a long string of random characters is the best way to go, for example, using a 15-character password containing letters, numbers, low and high case, etc.
while that seems rather strenuous and near impossible to remember, there are
simple ways to make this option easy to remember too, such as using a pathway
password. This means you pick a spot on your keyboard that starts and one that
ends your string, after which all you must do is choose a path and remember it.
Say something along the lines of 3edxcft6yhnMki90.
Another option and a more convenient one is to use password management software
such as LastPass. It will automatically generate a secure password for
you and keep it safely in a vault. And when you log in to a service, it will
fill the information for you. We recommend giving it a try.
4) It’s up to all of us to be digitally safe
Businesses must educate employees and users about online safety, offering tools like 2FA. Yet it’s up to users to use these tools, even the very best security systems are useless if you don’t turn them on or use them in combination with tools that are weak or easy to socially engineer. So set a secure password, enable 2FA and limit the amount of data you share and store online.
No matter the level of irony, this won’t be the last time this happens. Let’s all learn: businesses and users alike need to become more responsible online.