Search This Blog

Thursday, June 7, 2012

(I) How you can mitigate the LinkedIn and e-not-so-Harmony breaches -LastPass





Be aware that hackers create scripts to use compromised credentials to attempt logging in to other websites, it is easy to do... Presidential candidate Mitt Romney had his Email account hacked and the hackers tried the same credentials on his Dropbox account and low and behold they were the same... 2 birds with one stone... Popped and pwned... And WHY password reuse is a bad, VERY bad idea! This occurred with the Gawker hack as well in late 2010.

Use the LastPass LinkedIn tool to see if your account is within the hacked credentials:

LastPass LinkedIn hacked account tool website

While checking my own LastPass vault for any threat due to the LinkedIn breach, I stumbled upon 2 bugs that I worked with LastPass to verify, one that is due to FireFox ver 13 ( don't upgrade), the other with their Security Challenge); but I also found a way to use LastPass to check and remediate your credentials when a cloud provider is breached.

First off I am assuming like most users that you indeed use the same 'name@email.com' username and 'password' for multiple websites. It goes without saying you should never use the same password for multiple websites since most usernames these days are your email address, but many people do, so we will roll with it for this example.

I was curious in my own LastPass vault of 170+ logins if I had any username/password combos that matched my LinkedIn credentials or if any were in fact duplicates...

I recalled the LastPass Security Challenge I have blogged about before (found here)

LastPass Security Challenge website

And recalled it showed you sites that had the same password grouped by similar password and it nicely shows you the username for each within a grouping.

So how do you use this to check and remediate?

First: Install and use LastPass of course
Second: Run the LastPass Security Challenge by either selecting the "LastPass icon-Tool-Security Check" or by using this URL:

Third: Once the Challenge completes, scroll down to the 'Sites with similar passwords' area, and there will probably be several since you reuse passwords and you will see all sites with the same password grouped together (the password is NOT visible unless you select 'Show'.

Review the list(s) to see if a username (your email) from a site (LinkedIn, eHarmony, Zappos, Gawker, etc.) that was compromised matches other sites where you are using the same password. If you are... Visit the site, change your password (use the LastPass unique generator) and update your vault!

You can quickly go through all similar credentials and change them to hopefully something unique so you don't have this issue in the future when another service you use gets popped, and they will, bet on it!

* NOTE: LastPass ignores case and spaces in the challenge evaluation so some passwords may be grouped as similar when they could be very different. They do this since some sites convert to one case and strip spaces.

Again, LastPass rocks ! And allows you to quickly remediate any username/password issues you might have after a breach of a Cloud provider you might use!

Want to know if an email address you use has a known password from one of the many breaches? Check it using the following website:

Pwned List website

Put in your email(s) and see if it shows up.. If so, you have a LOT of passwords that need changing.

#InfoSec #LastPass