A while back I wrote an article for the Alpha blog about the need to properly secure your user account information, especially passwords and userids. To bring it home, I just got an email from a service that I am subscribed to, saying their system had been breached, and my userid and password were among those compromised. NOTE: They do not have an Alpha Five application.
If you read through their message below, its instructive to have in mind what I was thinking as I read it.
What's your answer to that last question?
If you are like me, you have hundreds of "accounts" where you have provided a user id (likely email) and a password. For some portion of those you have provided financial information; and some portion of those have retained that information, and only some portion of those have secured your information properly. My passwords are different on every site, but that's probably an anomaly.
By the way, this is prompting me to write a document (for my clients) detailing exactly how I have secured their web application - and I bet you in writing the document I will make changes to how I use security in Alpha Five.
So this may be you, writing to your clients, that their userid and password has been stolen. That is, if you have any means in place to know that such a breach has take place.
-------- Actual letter, but with names changed ---------
Dear ABC Email Newsletter Subscriber,
We regret to inform you that the company we contract with to deliver email newsletters, XYZ, has identified a breach of one of their internet security systems. The breach was limited in scope. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your email subscriptions at ABC may have been obtained by an unauthorized third party.
Usernames and passwords that you use on the ABC or ABC Stock Web sites for you or your organization were not compromised; only usernames and passwords used to manage email newsletter subscriptions were affected. Most ABC email newsletter accounts do not have passwords associated with them. However, XYZ's records indicate that your account did have a password.
There is potential for misuse of this information should you use the same email address and password on other personal accounts (for example, banking, PayPal, Amazon, web-based email sites, etc.) XYZ would like to advise you of important steps that you should take to prevent misuse of your personal information:
* If this email address and password are used together on any other accounts, it is recommended you change your password on those accounts immediately.
* Pay careful attention to emails you may receive requesting personal and financial information -- even if it appears to be from ABC -- and only provide it when you can confidently confirm that it has come from a trusted organization.
* Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords used to manage email subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your email subscriptions.
Our vendor XYZ has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions, please visit XYZ's site, http://www.XYZ.com/onlinesecurity , or contact XYZ's Security Hotline at 1-800-555-1111.
Sincerely,
The ABC Team
--------------------------------------------------
If you would like to unsubscribe from ABC, you can respond to this email with "REMOVE" as the subject, or you can visit your subscription management page at:
******************************
This email is Powered by XYZ, Inc.
http://www.XYZ.com
******************************
If you read through their message below, its instructive to have in mind what I was thinking as I read it.
- What password did I use with this service?
- For what long forgotten service might I have used that userid and password combination? And which ones retained my cc or bank info?
- How many other services have had their security breached, and did not tell me?
- And, hey! I write these kind of systems now - what have I done to ensure my client's web applications are secure?
What's your answer to that last question?
If you are like me, you have hundreds of "accounts" where you have provided a user id (likely email) and a password. For some portion of those you have provided financial information; and some portion of those have retained that information, and only some portion of those have secured your information properly. My passwords are different on every site, but that's probably an anomaly.
By the way, this is prompting me to write a document (for my clients) detailing exactly how I have secured their web application - and I bet you in writing the document I will make changes to how I use security in Alpha Five.
So this may be you, writing to your clients, that their userid and password has been stolen. That is, if you have any means in place to know that such a breach has take place.
-------- Actual letter, but with names changed ---------
Dear ABC Email Newsletter Subscriber,
We regret to inform you that the company we contract with to deliver email newsletters, XYZ, has identified a breach of one of their internet security systems. The breach was limited in scope. There was no breach of personally-identifiable information or credit card data, but your email address and password for managing your email subscriptions at ABC may have been obtained by an unauthorized third party.
Usernames and passwords that you use on the ABC or ABC Stock Web sites for you or your organization were not compromised; only usernames and passwords used to manage email newsletter subscriptions were affected. Most ABC email newsletter accounts do not have passwords associated with them. However, XYZ's records indicate that your account did have a password.
There is potential for misuse of this information should you use the same email address and password on other personal accounts (for example, banking, PayPal, Amazon, web-based email sites, etc.) XYZ would like to advise you of important steps that you should take to prevent misuse of your personal information:
* If this email address and password are used together on any other accounts, it is recommended you change your password on those accounts immediately.
* Pay careful attention to emails you may receive requesting personal and financial information -- even if it appears to be from ABC -- and only provide it when you can confidently confirm that it has come from a trusted organization.
* Report any suspicious activity immediately to the account provider (bank, credit card, etc.) and to credit bureaus. We take your privacy seriously, and as a protective step have immediately deleted all passwords used to manage email subscriptions. This will not affect your subscriptions or site usage, and you will simply be prompted to create a new password when you go to manage your email subscriptions.
Our vendor XYZ has asked us to convey their deepest apology and assurance that security has been restored. If you have any questions, please visit XYZ's site, http://www.XYZ.com/onlinesecurity , or contact XYZ's Security Hotline at 1-800-555-1111.
Sincerely,
The ABC Team
--------------------------------------------------
If you would like to unsubscribe from ABC, you can respond to this email with "REMOVE" as the subject, or you can visit your subscription management page at:
******************************
This email is Powered by XYZ, Inc.
http://www.XYZ.com
******************************
Comment