Do not be fooled by tweeting about knowledge breaches
This year, NetGalley, the website that provides reviewers with enhanced e-copies of books, sent their season’s greetings in a different tone. In an email to its users before Christmas Eve, the company stated, “It is with great regret that we are pleased to announce that NetGalley was the victim of a data protection incident on Monday, December 21, 2020.”
According to the Company recommendation: “What at first seemed like a simple disfigurement of our homepage has led to unauthorized and illegal access to a backup file in the NetGalley database during further investigations.”
The database in question contained sensitive user information, including usernames and passwords, names, email addresses, postal addresses, birthdays, company names, and Kindle email addresses.
Unfortunately, many users took advantage of social media and discussed the incident without thinking about what they are making visible to everyone. And in their rush to be the first to tweet about the breach, many users made terrible mistakes that could further compromise their security.
The following is perhaps the worst way to tweet about the incident. The user admits to using their NetGalley password on several other accounts.
While this tweet might have been a joke, this next one certainly isn’t. The user posted a picture of the NetGalley advisory email that includes her full name (obscured in the picture). Since the name of the Twitter account is pseudonymous, the user only provided the full name of the person behind it.
There were other milder tweets in which users admitted that their NetGalley account was not in their real name. Less dangerous tweets came from users who admitted to having a NetGalley account and they had just learned of the hack and either changed their password or deleted their accounts.
At first glance, a lot of these tweets might look harmless because NetGalley doesn’t store very sensitive information like bank account and credit card details. But the NetGalley injury was bad at first.
When detecting a security breach, most companies explicitly state what measures they have taken to protect user data. For example, many organizations are quick to point out that passwords have been leaked encrypted or hashed, making it difficult (but not impossible) for attackers to access the accounts. There is no mention of encryption in either the original recommendation or the updated version posted on the NetGalley website on Sunday. This suggests that the hacked database has user passwords and other information stored in clear text.
[Read: Meet the 4 scale-ups using data to save the planet]
On December 23, when NetGalley sent the first advisory, the company invalidated all credentials and advised users that they would need to reset their passwords the next time they attempt to log in. By then, however, the damage had already been done. The hackers made the website unrecognizable on December 21st, as users pointed out on Twitter and confirmed the company in the advisory. And nothing can prove that they didn’t have access to the data much earlier.
Even if the company invalidated passwords before the attackers had a chance to use them, the data would still be valuable to them. As the first tweet I shared suggested, users often have Use your passwords for many accounts. After the NetGalley hack, the attackers have access to a new list of emails and passwords. They can use this information in credentials stuffing attacks that involve entering credentials from a data breach with other services and potentially gaining access to other, more confidential accounts. Cross-service account hijacking is something That happens often and can even involve high profile technical leaders.
The attacks can also combine the data from the NetGalley breach with the billions of user account records leaked from other data breaches to create more complete profiles of their targets.
So the NetGalley data breach alone doesn’t seem like a big deal. However, in the context of other security incidents and the increasing sophistication of cyberthreats, any piece of information that falls into the hands of malicious actors can become a major attack.
Some users dismissed the hack as harmless. One user said, “What’s worse? [sic] that can happen, will anyone write a review posing as me? “
The real answer is, “No, that worst What can happen is that a threat actor may take your data and any other public information they can collect about you and use them to attack you from another, more sensitive location. “
This doesn’t mean you shouldn’t tweet about data breaches. In fact, I found a lot of good information about the data breach on Twitter like this user who first raised concerns about the potentially unencrypted leaked data …
… and this other tweet that gave some decent tips.
It’s also okay to criticize the way the company handled the violation, although I’d advise against spreading conspiracy theories that would only add to the confusion.
However, in general, you need to be very careful when posting information about data breaches on social media. So before posting a security incident, stop and think twice. If what you want to share contains personal information about you or someone else, such as: B. Services you use, your devices, email address, location and IP address, resist the urge to post something funny to your followers. It is not worth.
The point is, the dark web is already filled with sensitive information about billions of users. Don’t make it worse by carelessly tweeting more information about yourself and others.
This article was originally published by Ben Dickson on TechTalks, a publication that examines technology trends, how they affect our lives and businesses, and what problems they solve. But we also discuss the evil side of technology, the darker effects of the new technology, and what to look out for. You can read the original article here.