I wrote this diary while waiting for my flight back to home. Last week, SANSFIRE was held in Washington where I met some ISC handlers. I did not pay too much attention to the security news but I faced an interesting story. Recently, a data leak affected LinkedIn and a friend of mine had a chance to have access to the data (o.a. decrypted passwords). He contacted my and suggested to change my password as soon as possible (as a proof, he sent my password). It was indeed a “valid” one but not my “current” one. More precisely, it was the very first password that I used when a created my LinkedIn account (a long time ago). Interesting… It means that the leaked is not recent.

 

Passwords are a sensitive topic:  don’t play with fire and follow this golden rule: Change them often and don’t re-use them. The “leak” which affected TeamViewer is a good example. I put leak between quotes because it appeared that some of their users were compromised due to password re-use as they stated. To track and analyze this, password managers and dormant accounts can be very useful to track data leaks.

 

Usually, when I receive an invitation to create an account on a website, I accept it and create a unique email account that will NEVER be used somewhere else. I'm using something like: "website-url (at) unused (dot) rootshell (dot) be" or “login_webshop.com". This helps me to track:

Another interesting feature of some password managers (well, the one I’m using includes it), they keep a history of the previous passwords and time stamps (when they have been changed):

Based on this information, I’m able to estimate when the data leak really occurred and if it is really coming from the supposed victim or from another source.  This is a new proof that password managers are mandatory for everybody: they protect you and they contain useful data to analyze security incidents. Stay safe!

 

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key