I’ve been exchanging a number of emails recently with Troy Hunt. Troy is a Microsoft Regional Director and MVP (no, he is not a Microsoft employee) who specializes in web security. He also runs Have I Been Pwned? This is a website that goes through various databases of user accounts and passwords that have been exposed through a data breach.
He dropped me a line to tell me that my account had been exposed.
The email was simple
Essentially he was telling me that my email address had appeared in a data breach and he was trying to confirm if it was real. So, what do I do? I did the usual steps, I sent him my password and had him check. NOT.
I confirmed that the email came from TroyHunt.com. It did. I confirmed that he is indeed the “owner” of the site. He is. (He lives in Surfers Paradise in Australia.) So, based on this information I said I would help him. He sent me back the first three letters of the password that they said was on file.
And it wasn’t my password.
After sending Troy that note he responded saying that that is what other people have been telling him as well. So, where does that leave us?
Well, the RootsWeb site has indeed been hacked and a list of accounts has been taken. However, the site has apparently encrypted passwords so that they are not exposed in the event of a data breach. It’s bad enough that they had their user database hacked, my data hacked, but if they had exposed passwords …
All organizations need to take a look at what data they have and answer one simple question:
What will happen if this data is leaked?
One of the ideas floating around a lot of companies is this terrifying idea: your data is going to be leaked so what are you going to do to minimize the damage? Don’t assume that you are going to be able to put up an impenetrable wall forever. It won’t happen. Expect to be breached, so what are you going to do to minimize the damage, not just to you, but to those people whose data you have sequestered away in a location you thought was secure?
This isn’t just a thought experiment, it’s real life. People have lost their jobs over not thinking this through. What data do you have that if it’s exposed is going to cost you a lot in terms of money or reputation? Now that you know what you need to protect, how do you protect it? RootsWeb did something about it and, while the hackers got my email account, they didn’t get my password. But that’s all that RootsWeb really had on me. What data are you storing for your clients?