Hackers from a left-wing group known as RedHack recently claimed to have got into three different email accounts belonging to Turkey’s Energy Minister, Berat Albayrak.
According to reports, that hack led to a huge data dump consisting of 17GB of email going all the way back to April 2000.
Apparently, the hack was greatly simplified by the fact that Albayrak used the same password for multiple accounts, making him a sitting duck for the keylogger that the attackers are said to have used.
A keylogger can, in theory, retrieve all of your passwords even if you carefully use a different one for each account.
But the job is much easier, and much more likely to succeed, if the attackers only need to compromise one account, which then turns into a sort of “skeleton key” for all the others.
What, no 2FA?
We’re assuming that as well as having just one password for everything important, Albayrak didn’t bother with two-factor authentication (2FA), also known as two-step verification, either.
Two-step verification is where you need to provide a one-time login code, usually sent via SMS or generated by a dedicated mobile app, as well as typing in your regular password.
Although 2FA doesn’t guarantee your online security, it does make password-stealing attacks much harder, and that’s why we regularly recommend turning the feature on whenever you can.
Ironically, Turkey seems to have responded by temporarily blocking access to various cloud-based storage services last weekend, including Dropbox, Microsoft OneDrive and Google Drive.
What to do?
This ongoing incident is a good reminder of how much is at stake when you’re careless about access control, especially when you keep large amounts of data online.
Our advice is:
- Consider using a password manager. That way you’ll get a fresh password for each account, and you won’t be tempted to make them the same (or even similar) for fear of forgetting them.
- Pick proper passwords. You’ll need a really good password for your password manager, even if you use it to store all your online passwords, so you still need to know how to choose wisely.
- Turn on 2FA wherever you can. It’s not a silver bullet, but it does make a cybercrook’s job harder, because he can’t just use a keylogger today to steal your account password and then keep logging in whenever he feels like it,
- Make regular backups and keep them off-line. This protects you against all sorts of unavailability problems, including ransomware, loss or theft of your laptop, and outages in your usual cloud services.