The New York Times reported this week that an organized Russian criminal group stole approximately 1.2 billion user name and password credentials associated with more than 500 million email addresses from hundreds of thousands of websites around the world.
The article notes that the hackers used a large botnet (a group of computers that a hacker has taken control of for his or her own use) to probe websites methodically for vulnerabilities that would give the hacker access to the websites' databases containing sensitive information such as email addresses, user IDs and passwords.
Although the victims have not been identified, there are certain steps you should consider taking, all in close consultation with your experienced IT staff.
- Force all users in your organization to change their network access password. Encourage them to create strong, new passwords that do not resemble their old passwords. In the event that login/password credentials for your entity were compromised, this will help minimize harm that these hackers could cause.
- Remind users not to allow their web browsers to store/save their passwords.
- Advise your employees/staff/volunteers to change their personal passwords for social media, email, and financial accounts, especially if they tend to use the same password to log into work and personal accounts. Remind them to use two-factor authentication where sites offer it (many banks, email providers and social networking sites offer this).
- Engage IT to review security access logs to determine whether there is any evidence that login/password credentials have been misused to gain access to your organization’s network.
There are other steps you can take, and we encourage you to consult with your IT staff.