Posted on: April 8, 2021
It is 9am on a Tuesday morning. You are getting ready to start your day after your favourite morning beverage, and think “do I know where my email address is?”
It could be many places – your work computer, your friends address book, even safely tucked away behind Multi-factor Authentication.
Or it could be in a more dangerous part of town – the dark web, being sold for who knows how many bitcoin.
According to the website HaveIBeenPwned, over 11,145,906,797 email addresses have been leaked in over 114,031 pastes online. These numbers come from a large selection of known data breaches. The most recent one brought to light: a Facebook breach that happened in 2019 which contained the email addresses, birthdays, phone numbers and other personal information of over 500 Million accounts.
“No Big Deal”, you think to yourself, “my Facebook account is protected with a password and multi-factor authentication. No one can get into my account”. Ah – that is the kicker. The bad actors do not want into your Facebook account. They want into your email account (where some multi-factor authentication services send their verification codes), they want into your bank account, they want your birth date and mother’s maiden name so they can impersonate you. And they are banking on the fact that you may have reused a password somewhere along the way.
Password reuse is common – there are just too many to remember. That Facebook account password could also be your GMAIL account password (not recommended), your child’s school email account password (not recommended) or your online banking password (definitely not recommended). It could also be someone else’s password, as they may have thought about the same string of letters, even if their account details were not included in a breach.
Think it will not happen to you? Think again. In December 2020, just before the winter break, 17 unsuspecting TRU employees opened a malicious email message and clicked on a scam link. This link brought them to a website that asked for their username and password. Once the bad actors had this information, they used the compromised accounts to send even more SPAM email out to the user’s contact list, TRU’s global address book and a large address book they had already compiled. This blast resulted in TRU’s email servers being blacklisted, Faculty could not reach their students and over 60 hours of IT work was spent cleaning the servers.
What can you do to protect yourself?
- Check if your email addresses, phone numbers and passwords have been disclosed in a breach at https://haveibeenpwned.com/ and https://haveibeenpwned.com/Passwords
- Practice good password hygiene and do not reuse passwords across accounts. Use a password manager to help organize the numerous passwords and accounts you will have.
- Separate things – Keep work email accounts related to employer business, and personal related to personal. Setup and use a unique email account for those newsletters and ‘sign up to read’ articles online.
- Learn how to Spot a Phish and Don’t Click the Link.
- Use the DUO app (https://duo.com) to apply two factor authentication prompts to applications like Facebook or ETSY. DUO Multi-factor Authentication is coming to TRU for all staff and faculty in 2021. Let firstname.lastname@example.org know if you would like to be an early adopter.
 As of April 7, 2021
 As of April 7, 2021; individual copies of data collected from data breaches.
 Read more about the breach at Business Insider https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4