As news reports regularly indicate, cyber attacks on businesses worldwide are becoming increasingly frequent and severe. These incidents often result in data breaches, causing the exposure and/or theft of users’ personal information, such as passwords, credit card numbers and other sensitive information.
Although online service providers have an obligation to ensure that users’ transactions and data are secure, each of us is still responsible for protecting our login credentials and personal information to the best of our ability. Unfortunately, even following the rules perfectly may not prevent you from being breached.
By following cybersecurity best practices, you can minimize the likelihood of your account being individually breached. If this does occur, you can help minimize the damage by following several recommended steps.
Why is your information valuable?
Cyber attackers can inflict significant damage using minimal information. For example, many people use their email address as a password recovery mechanism for other accounts. If your email address was hacked, a criminal can potentially reset your other accounts’ passwords and make purchases in your name. They may also be able to access your private communications on social media and target your friends and family for similar purposes.
Stolen credentials can potentially yield huge financial gains, so it’s not surprising that they mean big business: A recent story by Forbes.com reveals the growing market on the Dark Web for breached login data.
What is ‘Have I Been Pwned (HIBP)?’ and how is it useful?
As mentioned earlier, even if you are vigilant in protecting your account data, be aware that no form of protection is 100% guaranteed, and the websites you frequent may still fall victim to an attack.
In 2021, the average person can own between 30 to 100 different accounts – so it is possible that some of them may become compromised at some point through no fault of your own.
The website Have I Been Pwned? (or HIBP, with "Pwned" pronounced either "pawned” or “poned") allows Internet users to check whether their personal data has been compromised by data breaches.
The service collects and analyzes information about billions of leaked accounts and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future discovered breaches.
HIBP is a valuable resource for Internet users wishing to safeguard their personal information and security.
I found my account on HIBP. Now what?
If your email address appears on HIBP:
Replace the password(s) of the account(s) specified.
Also reset the passwords of your other accounts if they were using the same password as the one(s) that were compromised and ensure that they are unique.
Enable 2FA for any accounts that support this method of authentication.
Note: As stated on HIBP, if your email address was not found it does not necessarily mean that it has not been compromised in another breach: "Absence of evidence is not evidence of absence".
While the HIBP website is a valuable tool, it likely contains only a small percentage of all breaches that have ever happened. Furthermore, you may not be aware that a breach has taken place until well after it has occurred, since in some cases HIBP may not obtain this information until months later. In addition to checking HIBP regularly, it is strongly recommended that you remain mindful of the information stored and collected by your various accounts and protect these by following cybersecurity best practices:
Use your McGill password ONLY for your McGill account.
Create strong, unique passwords for all your accounts.
Enable Two-factor authentication (2FA) on your McGill account.
Minimize the amount of information you store on ecommerce sites where you have an account – you never know how secure these sites truly are.
How does McGill’s Information Security team keep you safe?
In addition to promoting best cybersecurity practices, McGill’s Information Security (InfoSec) team in IT Services monitors and identifies imminent cyber threats to the University’s data and network, thus enabling the timely prevention of attacks. In fact, in 2020 a threat intelligence service was launched that McGill and other organizations now use to proactively safeguard against cyber threats. Learn more about McGill’s Threat Intelligence service.
Conclusion and recommendations
We recommend subscribing to HIBP’s notification service (see details below) and following best cybersecurity practices.
To use HIBP:
Go to https://haveibeenpwned.com/ and enter your email address to see if it has been in a previous breach.
To be notified of future breaches involving your email address, sign up to receive email notifications. If you use multiple email accounts, we recommend signing up for all of them.
If your McGill password has been compromised:
Follow the steps in the IT Knowledge Base article What to do if your password has been compromised.
Stay vigilant: Do not reuse your McGill password for any other account and follow strong password creation guidelines.
For more information about keeping your accounts secure, check out the following resources.