It’s been a while since we had a good ol’ high profile hack. The last major incident that really hit the headlines was probably Anonymous’ hit on a bunch of official North Korean websites, defacing images of its ‘dear leader’ Kim Jong Un and generally making the commies look stupid. But just when we were starting to get complacent – badaa! – along come five major hacks in the space of less than a week.
In the last five days dozens of sites, including Ubuntu’s community forum, Apple’s Developer site, Truecaller and the Nasdaq community forum have been breached, leaving millions of computer users at risk of becoming data theft and/or victims of spam.
The troubles began last Thursday, starting with Reuters reporting that the Nasdaq Community forum had been breached, with the emails, usernames and passwords of its users all stolen. The site was reportedly defaced, taken offline, and stayed that way for two days before Nasdaq’s web security guys were able to get everything shipshape.
Just hours after Nasdaq’s woes were first reported, Apple reported that its developer site had also been hit, just as it was preparing for a major software upgrade to its iOS and OS X operating systems. This was followed by a further attack the next day – this time, the collaborative phone directory website Truecaller was taken offline by the Syrian Electronic Army, which exposed millions of phone records in the process. But the Syrian government sympathizers weren’t done there, for less than 24 hours later it followed up by hacking instant messaging platform Tango, exposing more than 15 terabytes of user data. In both cases, the SEA said that it’d hacked the sites via a known vulnerability in an older WordPress version.
However the biggest ruckus thus far occurred on Saturday when a hacker or hackers successfully infiltrated the noisy Ubuntu community forum, defacing the site and stealing the user names and hashed passwords of all 1.82 million users and posting them online. In that case, Canonical (which leads Ubuntu’s devlopment) was quick to announce the security breach, warning users to change their passwords as soon as possible.
Who’s Hacked Off?
It’s fairly unusual to see so many high profile hacks in one go, but it doesn’t appear to be a concerted effort by any one group in particular. The Syrian Electronic Army has been keeping up a sustained campaign for some time now, with most of its hacks thought to be in support of President Bashar Assad’s government, but it isn’t believed to be involved in the hacks on Apple or Ubuntu.
In Ubuntu’s case, a hacker going by the name of “@Spuntn1k_” defaced the site with an image and the following message:
“None of this “y3w g0t haxd by albani4 c3bir 4rmy” stuff. Straight up, you dun goofed. It’s as simple as that.”
As for Apple’s Developer site and the Nasdaq forums, it’s not known who was responsible for these breaches.
How To Stay Safe(ish)
If nothing else these attacks serve as a timely reminder to observe best practices to keep your online accounts as safe as possible. First and foremost, if you do any kind of banking/financial stuff online or keep sensitive data in your email, CHOOSE A DIFFICULT PASSWORD! This cannot be hammered home enough, an easy to remember password like “Mike1234” simply doesn’t cut it these days. To make it extra harder to crack, use at least 15 characters (letters, digits and special characters) make sure your password doesn’t spell out a word or series of words – something random is always better.
Second tip, and this is a point that Canonical was quick to hammer home – avoid using the same password for multiple accounts (at least as far as your bank, email etc., is concerned), this way you’re less vulnerable in case one of your accounts is ever compromised.
If you need help managing your passwords, use password management software like LastPass.
Finally, be sure to back up your data, either to your local hard drive or else with a service like G cloud or iCloud.
A growing number of sites these days offer two-step verification services to make your accounts extra harder to crack. Two-step verification involves entering a one-time-password whenever you want to make changes to your account or process a financial transaction – the code is sent by SMS to your phone, and expires after five minutes, thus making your accounts impenetrable to all but the most sophisticated hackers. Services including Dropbox, Google, Facebook, Microsoft and Yahoo all offer two-step verifications, as do most banks.