How this information gets released
The information can come from data breaches of businesses or organisations. Information leaked from breaches can be published online, and can contain information from one source, or from a range of sources.
When the details are published online, it’s not always immediately obvious where the information has come from. The companies involved may not be aware that the information is online.
Often it can be the result of a website or service suffering a security incident, and the information being stolen from their systems. This information might be sold, or publicly released online or to others. Large scale information leaks are often traded by cybercriminals, mixed in with information from other leaks, and sold again.
Types of information
The types of information varies in each release, depends on what service the information was obtained from. It can be personal information like your name and address, or even medical or financial information. It can also be your username and password, often including email addresses. This is often called a credential dump.
The impact of an information leak also varies depending on what information was leaked. A credential dump can let someone else access your online account, or other accounts that use the same username and password. With this information, someone might use your email account to send spam or phishing emails, or access other services like your online banking.
How to protect your private information
It’s important to protect privacy and have control over where your personal information goes and who has access to it. Taking a few simple steps can help you secure your information.
- Only share as much information online as you need to and make sure you have strong privacy settings on all online accounts.
- If you feel you’re being asked to provide a business or service with more private information than you feel is relevant, check what the information is being used for.
- Use strong, long and unique passwords on your accounts, that way if your password on one account is leaked you only need to update that one account and your other accounts are safe.
- Turn on two-factor authentication for all your online accounts to add an extra layer of security.
Find out if you’re affected
You may not know you’re affected until it’s too late. Many New Zealanders have received a scam email, in which the scammer claims to have accessed your computer, and they include a password to make you think that they are telling the truth. This scam has been around for quite some time, and we’ve previously issued an alert about it External Link . The passwords that the scammers use in these emails come from previous credential dumps.
If you’re concerned that some of your personal information has been released through a data breach:
- contact the relevant business or organisation to see if the breach affects any of your accounts
- change the passwords for any accounts you think may be at risk
- get a free credit check done. This will let you see if any accounts have been opened in your name. There are three main credit check companies in NZ, and you’ll have to contact all of them. You can ask to have your credit record corrected if there’s any suspicious activity on it.
Several large/public data breaches have been added to a website called Have I been Pwned? While CERT NZ doesn’t have an affiliation with this website, and hasn’t verified the data contained there, it is a central repository of data breached in a range of releases. Users can visit the site to see if their email address is included in the list of released details. You can also sign up to get notified if your email address turns up in a new dump that they track
If your information is released
If your email address has been part of a breach, change the password for that account immediately.
Some people make patterns of their passwords, to make them easier to remember. Unfortunately this also makes them easy to guess. If you have reused a password on other accounts, or have a password pattern, change the passwords for those other accounts too. If your password for Adobe is Adobe123 and that information was part of a credential dump, attackers will go and try Twitter123 and Facebook123 with your email address.
What to do if your identity is stolen
If you’ve been a victim of identity theft, the Department of Internal Affairs (DIA) has guidance and information on the steps you should take.
Ways to protect your information.
- Use different passwords or passphrases for each account. Use a password manager to help keep them safe.
- Enable two-factor authentication on your accounts
- Fake login pages can be very convincing. Enter the website address directly or use a bookmark in your browser, instead of following a link. This prevents fraudsters sending you to the wrong place.