Last week, US-based cyber security firm Hold Security recovered 272.3 million stolen accounts from a fraudster.
Out of those, 88,000 accounts originated from Singapore, Hold Security’s founder and chief information security officer Alex Holden told The New Paper in an e-mail.
“There are over 88,000 records with the .sg domain name in the e-mail addresses,” he said.
Of those, 61,000 belonged to yahoo.com.sg, 8,000 were from singnet.com.sg and 3,600 were from .edu.sg – about 1,100 from ntu.edu.sg and 1,400 from nus.edu.sg
Mr Holden added that the credentials do not always belong to the e-mail providers.
“Many services require you to use your e-mail address as a user ID, hence a breach in such service may produce a record of e-mail/password similar to (your) e-mail credentials,” he said.
For example, online shopping websites usually get users to register using their e-mail account as their user ID.
Hold Security’s recovery stemmed from its researchers spotting a young Russian hacker bragging in an online forum about the millions of stolen accounts he had collected.
The hacker claimed he could give away a total of 1.17 billion stolen credentials, including duplicate accounts.
A majority of the stolen accounts appeared to be from Russia, but there were also sizeable numbers of German and Chinese accounts.
The stolen accounts included tens of millions of accounts from all three major e-mail providers: Gmail, Microsoft and Yahoo.
Reuters reported that this was one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major US banks and retailers two years ago.
To check if you have an account that was uncovered as part of any data breach, visit haveibeenpwned.com. The website also has a list of websites with databases that have been compromised.
HOW DOES THIS AFFECT ME?
According to Mr Holden, information that is obtained by a hacker may or may not be used for malicious activity, depending on what was breached.
He said: “Most accounts never get fully compromised. However, if you lose your bank details, the chances are rather high that this information would be abused.”
For example, online shopping websites usually contain a user’s financial information, among other sensitive details like address and birthdate.
The information could be abused if it falls into the wrong hands.
WHAT SHOULD I DO?
If you think that your e-mail account has been compromised, the first thing you should do is change the password to something difficult to guess, Mr Ryan Flores, senior manager of cyber security firm Trend Micro told TNP.
He added that if the password has been changed, use the “Forgot Password” option to set up a new one, since the account is always linked to another e-mail account or mobile number that allows for verification.
Once you regain access to your account, check to see if any information has been stolen. If necessary, report the loss of personal data to the Personal Data Protection Commission (PDPC) by calling 6377-3131 or e-mailing email@example.com
Singapore’s Cyber Security Agency (CSA) also encourages users to sign up at the CSA’s SingCERT webpage for alerts and advisories on the latest cyber security news in Singapore.
Users can also get cyber security tips from its Go Safe Online webpage or Facebook page.
According to SplashData’s annual Worst Passwords List, “123456” and “password” remained the two most common passwords last year.
Singapore’s Cyber Security Agency (CSA) advised: “Change passwords regularly and avoid using the same password for different services and applications. Where available, multi-factor authentication (for example two-factor authentication) should be enabled.”
A two-factor authentication process is when two components are used to log in.
UPDATES & SCANS
Read through every message box when downloading new software. An attacker could name a malware after the software you are downloading.
Schedule monthly scans with an antivirus software.
Update your operating system regularly as this may include essential security updates.
According to CSA, users should not click on links in suspicious e-mails.
PROTECT YOUR DATA
“Users should not sign up for a service if it requests for information that may seem irrelevant to the purchase or application of the service,” the CSA told The New Paper.
Do not publicise personal information on social media.
Make sure the website you are visiting is secure. A website that begins with “https” instead of “http” is secured using a Secure Sockets Layer certificate.
Turn on cookie notifications on your web browser to be notified when a cookie requests access, and accept only if you can trust the site.
Avoid suspicious posts, offers, messages and advertisements on social media.