Ashley Madison Hack was a disaster. According to countless security specialists, media observers and public relations experts, that is the only way to describe July’s vast security breach of the Ashley Madison website. A hacker group calling itself the Impact Team penetrated the company’s servers, and then released over ten gigabytes of personal information, passwords and credit card details. The result? Public shame for the estimated 39 million users, and a PR catastrophe for Avid Life Media, Ashley Madison’s parent company.
But it’s also a rude awakening to all internet users – not just the adulterous ones. When a site founded on the notions of privacy and complete discretion can be breached so comprehensively, what does that mean for protecting our own sensitive online information? It seems there are some lessons we can all learn:
- Our intimate data is already everywhere…
Today it has become normal to share our shopping habits, biographical details, sexuality, religion, health history, political party – even which party we went to last night, and with whom – on the internet. As New York Magazine notes, “Suddenly it was cool to trust companies with the equivalent of your FBI file.” But security breaches at Apple, Target and many more have shown that even several layers of security and encryption is not always effective. So always assume that all information that you store online might become public one day.
The lesson: Apply the “Jumbotron” test to your online data – if it was beamed onto a huge screen at a stadium, would you be mortified? Then take extra care.
- …and erasing that data is getting harder and harder
One Powerpoint presentation found on the Ashley Madison servers included a new “Product Innovation” allegedly in the company pipeline. A “Full Delete” service where users could “eliminate any trace of themselves from the site”… but only for a $19 fee. And even after paying the fee, it seems that Ashley Madison kept their personally-identifiable profile data anyway.
The lesson: If you want to use a website in secret, or if you are using a compromising website just to satisfy your curiosity, don’t use your real name or your real email address.
- Beware of websites with lax security
Because Ashley Madison didn’t send a verification email, some people (including some politicians) had an account created in their name by other people. This is not a good practice – be careful with websites that don’t verify your identity.
The lesson: Inputting senstitive data into a website? Then research how strong its security systems are first. And, if possible, use sites which offer 2-factor authentication – such as Gmail, Microsoft, Apple, Twitter, Facebook and Dropbox.
- Strong passwords are still essential
The Ashley Madison data dump revealed that all 39 million user passwords were stored in a hashed form with bcrypt, a cryptographic hashing algorithm so strong it would take a highly specialized computer cluster years to crack. Except that many users opted for passwords so simple that other analysts were able to use far simpler methods to crack them. And found that, despite the potentially embarrassing information contained in these Ashley Madison profiles, the most popular passwords were – yes – “password” and “123456”. If you use a strong password, you minimize your chances of seeing your password breached in such a case.
The lesson: Always be sure to make the new passwords as random as possible – ideally via a suitable password generator.
- Ashley Madison won’t be the last
Hacking is a daily news story. As millions of users of Apple, eBay, Target, Vodafone and so on will testify – as well the tens of millions of US government employees exposed in June’s data heist – there is not a single system on earth invulnerable to cyber attacks. Except now it’s not just your credit card details being hunted: a rise in politically inspired cyber crime has resulted in so-called “hacktivists” pursuing sensitive data for alternative means. So everyone with data online should take heed: it’s not a question of “if” you’ll be hacked, it’s “when”.
The lesson: Minimise the effects of future breaches with password managers such as Dashlane. As well as up-to-the-minute alerts as breaches, the password changer also helps you both generate completely random passwords for maximum protection – as well as change all of your passwords with the click of a button.