AG Coakley Reminds Consumers to Use Secure Password Practices on the Internet
eBay Notifies AG’s Office About Compromise of User Information; Requests Users Change Passwords
BOSTON – Following a notification from eBay that it experienced a cyberattack that compromised a database containing user information, including encrypted passwords, Attorney General Martha Coakley reminds consumers to use secure password practices when using the internet, and to be vigilant against phishing attempts. The AG’s office is also working with other states to closely monitor the situation.
“The eBay compromise serves as a reminder that internet users should be vigilant to help safeguard their personal information.” AG Coakley said. “Consumers can increase the security of their information online by adopting strong passwords, using different passwords across the various internet sites they visit, and being cautious in providing their confidential information to others.”
This week, eBay notified the AG’s Office that one of its user databases was compromised in a cyberattack. According to eBay, the database contained eBay users’ full names, e-mail addresses, physical addresses, phone number, dates of birth, and encrypted user passwords. eBay has informed the AG’s Office that no user financial data or confidential personal information was affected, and that it has found no evidence that its PayPal databases were involved. Nonetheless, AG Coakley warns consumers that scammers may try to use consumers’ non-confidential information (such as a phone number or email address) to “phish” confidential and financial information from the consumer by posing as a representative from a legitimate website, business, bank, or retailor, or as an IT administrator.
AG Coakley provides the following tips on how consumers can help increase the security of their passwords online and avoid becoming a victim of a phishing attempt:
- Do not use obvious passwords. When selecting a password, avoid the obvious, such as personal information (e.g. names, birthdates, addresses), the name of the website or service you access through the password (e.g. “ebay”), or other commonly used passwords that are easy for others to guess.
- Complex is better. The more characters in a password, the harder it is to crack. Many internet sites require that your password be a certain length, but when you have a choice, adopt a password that is at a minimum 8 characters long, and use numbers and symbols in addition to letters.
- Use a secret code. One way to create a password that is both strong and easy to remember is to build one using a letter from each word of a favorite phrase (e.g. “Old Macdonald Had a Farm E-I-E-I-O” would become “omhafeieio”). Other strategies include using symbols or numbers in place of some letters.
- Do not share passwords. Keep your password to yourself; sharing passwords increases the risk of your account being accessed by others.
- Use different passwords for different online services. Do not use the same password for multiple internet sites, especially banking websites, as it increases your exposure to identity theft or fraud.
- Change passwords frequently. It is a good idea to change your passwords frequently to decrease the amount of time someone can use your password successfully. Changing passwords every 30-90 days is good practice.
- Avoid Getting “Phished.” Be suspicious of any request (usually by phone, mail, or e-mail) for your personal information that you did not initiate or are not expecting. If someone requests your personal information (e.g. a call from your “bank” to “verify” your account), always verify their identity before providing it to them - ask for their name, organization, phone number, and address. Confirm this information through an outside source, such as the company's website, customer service representative, or a telephone directory. Additionally, be careful when asked to open attachments or click on hyperlinks within an e-mail from an address you do not recognize or are not expecting.
More information on how consumers can safeguard their personal information and computers may be found on the AG’s website.