For example, in 2012, hackers stole hundreds of millions of logins from LinkedIn (many of which are still for sale today on the dark web). If I had used chris.keall@nzherald.co.nz and HireMe1984 as my LinkedIn login, then hackers could have tried their luck using that combo to access other sites.
The process is often automated for efficiency, with many stolen logins tried on a target website at once. And it was just such “stuffing” that Hell detected on July 22.
“The important message we want to get through to the public and our customers is that the Hell system and database remains secure,” Hell chief executive Ben Cummings told the Herald.
“The attack was not a result of a technical compromise or breach of Hell systems; the attacker used legitimate email addresses and passwords to access customer accounts. We hope that this example can help educate people on the importance of best-practice password security.”
Nevertheless, in a number of instances where people used the same login for Hell as they did for other sites - which had been breached - then they could access a user account.
What was taken
Hell said in an email to affected customers:
“For a small minority of customers, the attacker was able to log in and access that customer’s information. Unfortunately, our analysis shows your account was likely accessed.
“Once the attacker had successfully logged in, they accessed information held on your customer profile. This may include:
“Your name, email address, and phone number. any stored addresses used for deliveries, some details of any stored credit/debit cards, including the cardholder name, expiry, and only parts of the card number, information about recent orders, including what was ordered and how much it cost.
“Please note that, in line with online payment standards, we do not store the full card number for credit/debit cards in our system. This means the full card number and the security code (CVV) were not able to be accessed.”
The Privacy Commissioner and other authorities were alerted. “We’ve been very open about what’s happened,” Cummings said.
Affected customers will be required to change their password next time they log on - and the strong recommendation is to also change passwords they use for other services.
Although its systems were not breached, Cummings says Hell will review them regardless, with a view to assessing if there are any steps it can take to protect customers who have been careless with password reuse.
Passwords: How the Hell do you wrangle them all?
You need not just a unique password for every site, but a long and strong password. That means at least 15 characters, with at least one number or special character.
The rub, of course, is that you need different long and strong passwords for every website.
One solution suggested by Netsafe and other experts is to use lyrics from a favourite song as a “pass phrase” - if a site allows long, multiword logons, You can use different lines from the same song for different sites, throwing in a few special characters or numbers to mix it up.
You could use a password manager like the highly-rated 1Password or BitWarden - so you only have to remember one login for a virtual vault that generates and stores unique passwords for every site you access.
Google (Chrome), Microsoft (Edge) and Apple (Safari) all have password management built into their web browsers. Just accept suggested passwords, then rely on your browser auto-filling them most of the time - and lumping it and selecting reset password when it doesn’t.
And always take the option for two-factor authentication when it’s offered. That is, a confirmation message sent to your phone by text (or, in some cases, an app on your phone) whenever there’s a login attempt from a new device.
Chris Keall is an Auckland-based member of the Herald’s business team. He joined the Herald in 2018 and is the technology editor and a senior business writer.
