Security Market Segment LS
Friday, 13 May 2016 12:36

Tumblr hacked – email breached

By

Cyber criminals have obtained passwords to Tumblr user email accounts – don’t worry it only affects pre-Yahoo acquisition users.

Tumblr sent an email to its staff yesterday stating, ‘We recently learned that a third party had obtained access to a set of Tumblr user email addresses with salted and hashed passwords from early 2013, before the acquisition of Tumblr by Yahoo. As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts. As a precaution, however, we will be requiring affected Tumblr users to set a new password.’

So it’s a breach, probably based on legacy hardware and software. So as breaches go, given the then age and user numbers of the company, it is not too bad. WRONG!

Opinion

I don’t want to discourage start-ups, but the rush to market using cloud and low or no cost apps and tools to develop, is an accident looking to happen. By far the biggest security breaches come from using free or old development tools and poorly patched systems. Yahoo’s due diligence should have included a full audit of security measures and code resiliency. It is not as if they did not know of Tumblr’s past.

Before Yahoo’s acquisition Tumblr was regularly targeted – a big one in June 2011 coming from Tumblr user’s voracious appetite for porn resulted in email address logins and passwords being stolen via ‘click on this link for free adult material’. Then again at the end of 2012 over 6000 users caught worms from the site (or links to it). Then there was the biggie in 2013!

Solution

Nick FitzGerald, Senior Research Fellow at ESET has some words of advice. While many seem like motherhood statements, they are still ignored by too many.

  • Always use a strong password. By strong password, I mean very long, varied and complex with at least 14-16 characters. It is also best to include capitals, numbers, and symbols. Not all the systems will allow this but if possible, this is the best way to protect an account. Even better, if you can use such long passwords, use a phrase, such as a few lines from a poem or song you know well.
  • If you must use short passwords – less than 16 or so characters – avoid common words, simple keyboard patterns or personal information. Instead, use acronyms you will easily remember or spell words in a different way using phonetics and numbers. Of course, do not use the same password for all accounts.
  • Password managers are a handy way to have many different and optimally secure passwords without losing your mind. It is best to not write all of your passwords down without any security on your computer or phone. Also, as you are commonly required to change passwords regularly, password managers can eliminate most of that hassle, with some even enabling you to automatically change your passwords with each login.
  • To ensure maximum security for an account, it is strongly recommended to activate two-factor authentication. This increases security with an extra layer of protection that requires entering a unique code sent to another email address or mobile, or some other action involving a token carried by the account owner.

Tumblr has advice to and its eerily similar to Fitzgerald’s advice.

  • Choose a unique password for Tumblr. It’s a good practice to avoid repeating passwords for any of your accounts and to choose passwords that are a mix of letters, numbers, and symbols.
  • Make your password long - the longer, the better. We recommend passwords over 12 characters in length.
  • Always look for the reassuring lock emblem in your browser's address bar at login.
  • Never enter your Tumblr credentials on any site other than tumblr.com.
  • Never give an application access to your Tumblr account unless it is from a source you trust.
  • Never share your account credentials or mobile publishing email address with anyone.
  • Set up Two-Factor Authentication in your account settings, which makes it really difficult for impostors to access your Dashboard.
  • Make sure you have “Email me about account activity” turned on in your account settings.
  • If you use Tumblr on a public computer, always log out of your session by clicking on the Account menu at the top of the Dashboard and then clicking “Log Out” at the top of the menu.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.

REGISTER HERE!

LAYER 1 ENCRYPTION A KEY TO CYBER-SECURITY SOLUTION

Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.

DOWNLOAD!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & WEBINARS

REVIEWS

Recent Comments