Entries in Passwords (9)


Evernote Resets All Passwords After Service is Hacked

iStockphoto/Thinkstock(NEW YORK) -- The next time you log in to your Evernote account, don't be surprised when you are asked to reset your password. The web and app-based digital notebook service reset all user passwords after a "coordinated attempt to access secure areas of the Evernote Service."

While Evernote states on its blog that no user content was accessed -- that means no personal notes in people's Evernote notebooks -- it does believe the hackers were able to access usernames, email addresses associated with the accounts and encrypted passwords.

"While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure," Evernote wrote on its blog. "This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords."

All Evernote users will now be forced to change their passwords when they sign into their accounts via the web or mobile app.

The Evernote security breach comes after a long line of other Internet company breaches.

In early February, Twitter announced that approximately 250,000 Twitter accounts were compromised in a sophisticated attack.

Facebook and Apple were also targets of attackers, though both companies said that no user data was compromised.

Evernote has been the only hacked company to require a password reset for all of its users.

"We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience," the company said in a statement on its blog Sunday. In June 2012 the company had more than 34 million users.



Copyright 2013 ABC News Radio


Data Privacy Day: Cyber Security Experts Call for Better Online Protection

iStockphoto/Thinkstock(NEW YORK) -- Coming up with and remembering yet another password can be quite a task.  But Monday is the day to do it.

Jan. 28 is Data Privacy Day.  It's an effort by cyber security experts to remind people about protecting their personal information online.

"What we want people to do is take all the good habits that they have offline, and transfer that to the online environment," says Scott Vernick of the Philadelphia law firm Fox Rothschild, which handles data security cases.

He suggests using multiple passwords as a key step in protecting yourself online.

"Making sure that you are, you know, not just using the same password for every device, or for every account you have online.  But, using different ones, even though that's obviously more cumbersome and more awkward in changing them frequently," Vernick says.

If you do become the victim of identity theft, Vernick says you should first work on protecting your credit.

"Immediately what I would do is...I would contact one of the credit reporting agencies and I would put...ask them to put a freeze on all your accounts," he says.

You should then call your credit card companies, followed by a call to the police, Vernick advises.

Copyright 2013 ABC News Radio


Skype Fixes Major Password Security Hole

Joanna Stern/ABC News(NEW YORK) -- It's not a good week for password security. Only a few days after Twitter reset a number of passwords because of a security breach, Skype also has had a password security problem.

Early Wednesday morning it was found that Skype's password reset tool had been compromised. Discovered by Russian hackers and first reported by the tech site Next Web, all that was needed to get into a Skype account was a Skype user name and the associated email address. The typical security roadblocks between getting into an account weren't in place; it didn't ask a user to confirm an email address with an email or answer a security question.

In response, Skype, which is now owned by Microsoft, first disabled the password reset feature Wednesday morning. But by 11 a.m. ET it had made updates to the tool. It now assures users that it is working properly. Skype claims only a small number of users were affected.

"This issue affected some users where multiple Skype accounts were registered to the same email address," Skype said in a statement on its website. "We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users, and we apologize for the inconvenience."

Something different happened with Twitter earlier in the week. After an unknown website or online service compromised some accounts, Twitter users received an email notification asking them to choose new passwords. Twitter admitted that it reset more passwords than it should have. "In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused," the company said.

Why is this happening? "The systems themselves can be compromised in a few ways. For instance, internally they might be missing patches that are allowing criminals to access servers," Robert Siciliano, an online security expert with McAfee, told ABC News. "You might have all the doors, but the locks are broken. With Skype and Twitter this week, they might have the systems in place, but they don't have the latest, greatest security to combat the certain attacks."

In this case, Siciliano couldn't offer any concrete user action, since this is really on the companies themselves. "It is beyond your control. If their systems are not set up properly, it really is buyer beware. Never assume these services, especially the free ones, have bullet-proof security systems."

Copyright 2012 ABC News Radio


Twitter Asks Users to #Reset Passwords

SAEED KHAN/AFP/Getty Images(NEW YORK) -- Attention Twitter users: If you’ve tried to access your Twitter account Thursday, many of you couldn't.  You’ll have to #reset your password, to use Twitter-speak.

The microblogging service may have had a record 20 million tweets about the election on Tuesday, but now many Twitter users have received an email notification asking them to choose new passwords after an unknown website or online service compromised some accounts. A few high-profile users, including TechCrunch, were affected.

Once users reset their Twitter passwords, naturally, they took to the Twitterverse to complain about having to do it.

“We’re committed to keeping Twitter a safe and open community. As part of that commitment, in instances when we believe an account may have been compromised, we reset the password and send an email letting the account owner know this has happened along with information about creating a new password. This is a routine part of our processes to protect our users,” Twitter said in a statement on its blog.

When asked if Twitter was hacked or if this was a possible security breach, Twitter spokeswoman, Carolyn Penner said it was not.

Twitter, however, admitted that it reset more passwords than it should have. “In this case, we unintentionally reset passwords of a larger number of accounts, beyond those that we believed to have been compromised. We apologize for any inconvenience or confusion this may have caused,” the company said.

Twitter also encouraged users to read about how to protect their accounts and make their passwords secure. To reset your password, Twitter recommends users type the link into your browser to reset your password. Often, hackers can access your password by tracing the original link from the notification.

Many argue that Twitter, like Google, should implement stronger security, including two-factor authentication, which, if enabled, forces users to type in two passwords.  "We’ve certainly explored two-factor authentication among other security measures, and we continue to introduce features, such as https, to help users keep their accounts secure,” Twitter told TechCrunch.

Copyright 2012 ABC News Radio


That's Weak! The Top 25 Passwords People Use but Shouldn't

iStockphoto/Thinkstock(NEW YORK) -- People never learn.  If they did, they wouldn’t use the same weak passwords over and over and over again.

That’s the finding of SplashData, which has just released its annual "25 Worst Passwords of the Year” list.  Compiled from files filled with millions of stolen passwords that hackers posted online, the usual suspects retained the top three spots on the list: “password,” “123456” and “12345678.”

Overall, there wasn’t much movement among the top 25, although several new weak passwords made their debuts, including “Jesus” and “ninja.”

Here are the top 25 from SplashData, a leading provider of productivity applications for smartphones:

1.password (unchanged)
2.123456 (unchanged)
3.12345678 (unchanged)
4.abc123 (up 1)
5.qwerty (down 1)
6.monkey (unchanged)
7.letmein (up 1)
8.dragon (up 2)
9.111111 (up 3) (up 1)
11.iloveyou (up 2)
12.trustno1 (down 3)
13.1234567 (down 6)
14.sunshine (up 1)
15.master (down 1)
16.123123 (up 4)
17.welcome (new)
18.shadow (up 1)
19.ashley (down 3) (up 5)
21.Jesus (new)
22.michael (up 2) (new)
24.mustang (new)
25.password1 (new)

Copyright 2012 ABC News Radio


eHarmony Passwords Stolen by LinkedIn Hackers

iStockphoto/Thinkstock(NEW YORK) -- The same hackers responsible for the theft of over 6.4 million LinkedIn passwords also acquired passwords from the popular dating site eHarmony.

“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” eHarmony’s Becky Teroka wrote on the company blog Wednesday evening.  

According to the Los Angeles Times, 1.5 million passwords were stolen.  That’s significantly less than the 6.4 million LinkedIn passwords, but still a considerable amount of eHarmony’s 20 million users.

The Russian hacker responsible uploaded the encrypted passwords to a Russian-language website forum.  Many of them have been cracked, and while the usernames are not posted, security experts believe the hackers are in possession of that information as well.

Similar to LinkedIn, eHarmony has reset the passwords for those with compromised accounts.  If you’re such a user, you will be prompted to change your password next time you attempt to log in to the site.

Still, if you’re a LinkedIn or eHarmony user you should still change your password.  Additionally, if you have used that password on other sites or services, you should change that password on those sites as well.

Copyright 2012 ABC News Radio


LinkedIn Hacked: 6.4 Million Passwords Reportedly Stolen

Jin Lee/Bloomberg via Getty ImagesUPDATE: LinkedIn said a number of its users' accounts were compromised in a security breach, posting on the site's blog Wednesday, "We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts."


(NEW YORK) -- The social networking website LinkedIn is investigating claims that more than 6 million passwords were stolen and uploaded to a Russian-language web forum Wednesday.

Reports of the hacking first appeared on Russian language websites and were confirmed by security firms, who reported that a user in Russian-language forum posted the passwords Wednesday.

A Twitter account run by LinkedIn announced Wednesday morning that the company "continues to investigate" but was still unable to confirm whether any security breach occurred.

Graham Cluley, a security expert working at the British firm Sophos, said in a blog post that although the passwords are not correlated to user names, "it is reasonable to assume that such information may be in the hands of the criminals." Cluley said that the security firm had confirmed that the file uploaded to the Russian forum did contain the LinkedIn passwords, despite the company's hesitation to confirm it.

Users who fear that their passwords may have been stolen can change their passwords on the website by clicking on their names in the upper right corner of the website's homepage, and then clicking on Settings and choosing the "Change" link next to password.

Cluley also recommended changing passwords at other sites where users may have used the same password.

Copyright 2012 ABC News Radio


SNOPA: Bill to Ban Employers and Schools from Asking for Passwords

iStockphoto/Thinkstock(WASHINGTON) -- There may have been lots of backlash against SOPA (the Stop Online Privacy Act) a few months ago, but something tells us SNOPA, the Social Networking Online Protection Act, won’t provoke the same protest.

Introduced by Rep. Eliot Engel, D-N.Y., late last week, the legislation is meant to stop a trend that has gained steam in the last few months -- employers and schools asking for Facebook and social media passwords of applicants, employees, and students. Maryland passed a similar bill last month making the practice illegal; Engel is introducing national legislation.

“There have been a number of reports about employers requiring new applicants to give their username and password as part of the hiring process. The same has occurred at some schools and universities,” Engel said in a statement. “Passwords are the gateway to many avenues containing personal and sensitive content -- including email accounts, bank accounts and other information,” he added.

The national legislation would prohibit employers from asking for usernames or passwords to access online content. It would also apply to colleges and schools.

Bradley Shear, an attorney in Maryland who was also involved in Maryland’s recent legislation, helped Engel draft the bill.

“SNOPA would create national legislation to protect legal liability and provide a shield for employers and schools,” Shear told ABC News. “I believe it is a very well-thought-out and crafted solution. It helps protect all parties, not just one.”

Shear said SNOPA would also protect businesses and protect them from breaking other laws that could be a byproduct of checking one’s personal social media account.

Co-sponsored by Jan Schakowsky, D-Ill., the act has a long way to go, but with support of similar legislation at the state level, including by New York Senator Charles Schumer (D) and Connecticut Senator Richard Blumenthal (D), the light is certainly being shined on the social media privacy issue.

Copyright 2012 ABC News Radio


Maryland Bill Bans Employers from Asking for Facebook Passwords

LOIC VENANCE/AFP/Getty Images(NEW YORK) -- If you’re worried about an employer or potential employer asking for your Facebook or Twitter password, you might just want to move to Maryland.  The state’s general assembly has become the first to pass a bill to keep social media passwords safe from employers.

Just a few weeks ago, national attention was put on the issue of job applicants and employees being asked for their Facebook passwords so that companies could ensure the individuals had appropriate social media identities.

In response, New York Sen. Charles Schumer and Connecticut Sen. Richard Blumenthal asked the U.S. Department of Justice to investigate if the practice violates federal laws.  But Maryland already had legislation in the works.  And on Tuesday it passed the House as Bill 433. 


“In a nutshell, it protects employees and employers.  It prohibits employees from having to provide access to their digital content or social media account information,” Bradley Shear, a Maryland social media lawyer who worked to get the bill passed, said.

The bill also protects employers. 

“It’s a pro-business bill; it provides employers with a shield against lawsuits,” Shear added.

Maryland State Sen. Ronald Young was instrumental in pushing the legislation.  Young couldn’t be reached for comment, but he told ABC News earlier this month that he felt that such social media password practices were an “infringement on constitutional rights.” 

Facebook’s privacy officer Erin Egan has called such password requests wrong.

Wrong and illegal is exactly what it will be in Maryland as soon as the bill is signed by Gov. Martin O’Mailey.

And other states might not be far behind: Minnesota and Illinois have also drafted legislation based on Maryland’s bill, and Washington State, Massachusetts and New Jersey lawmakers have announced their intentions to introduce similar legislation.

Copyright 2012 ABC News Radio

ABC News Radio