The following editorial appeared in Friday’s Chicago Tribune:
As you’ve likely heard by now, in a small city in south central Russia, a gang of computer criminals has amassed a huge cache of stolen Internet credentials. They’ve swiped a mind-boggling 1.2 billion user name and password combinations, The New York Times reports. And more than 500 million email addresses.
As of late last week, the crooks hadn’t sold many records online, the paper reported. Instead, they’re collecting fees for using the stolen information to send spam on social networks like Twitter.
We imagine that many people around the world heard the news that their personal digital info had been hijacked by a Russian gang with … a weary shrug.
Sure, this latest Internet heist sounds globally ominous. And personally disturbing. Yes, tech experts were out in force, advising people to change their passwords again. But this massive breach of privacy comes:
• After many people already had changed them after last year’s massive credit card breach at Target stores.
• And after the major eBay hack that prompted the company to urge users to change passwords.
• And after the massive Heartbleed virus in April scared the bejesus out of millions of Americans because the virus attacked major bank and other Internet sites via servers — allowing thieves to mimic those sites or lift users’ personal information or do whatever nefarious things that computer hackers do with such access.
The blog post from the Tor Project, which develops software to deflect privacy incursions online, said Heartbleed was so potentially catastrophic that “If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle.”
Stay away from the Internet for a few days? That’s like advising most of us not to inhale for a few days. Not possible.
In the aftermath of Heartbleed, many people scrambled to change passwords and flooded customer service agents at banks and other large companies with questions that elicited vague assurances that their systems were not affected, but that you might just want to go ahead and change your password anyway, for peace of mind.
Those kinds of wan assurances give no one peace of mind.
Anyway, back to the Russians. As these heists get bigger and bigger — at least the ones we know about — and the thieves grow more and more brazen, we expect that a password change today won’t be the last one. Many people may play the odds — if the Russians have nearly everyone’s data, what’s the chance they’ll try to use mine?
We don’t know if that is a sound strategy or just our growing resistance to changing passwords with every cyber alarm. Password proliferation over the past decade means that many a person scribbles a long list of passwords lest he or she forget them … and then stores the list, hoping that it can’t be as easily stolen. And yes, confident entrepreneurs assure us, there are password protectors online. Uh-huh. What could possibly go wrong?
The day can’t come too soon that all of our Internet accounts are linked to fingerprints, voice, facial or retina scans — a DNA strand? — that cannot be easily hacked or stolen. But given the fact that we’re talking about systems engineered by fallible humans, we’re pretty sure that ingenious thieves will find a way to hack those, too.
Meanwhile, the disturbing but inescapable fact is: Everyone is at risk. But at least there’s some comfort in having all that company.