Late last night we were alerted of a security breach that allowed a malicious user to access our database, which included user e-mail addresses and other basic profile information. No financial information has been accessed by any unauthorized parties….
I’m not picking on DivShare. Indeed, they did all the right things: notified users, took the site down while they fixed things, apologized, and tightened their security. But this does raise the question of how well we’re all protecting our own identity information in this world of shifting Web 2.0 services.If you’re a web worker who regularly tries new things, then you probably have personally-identifiable information scattered around dozens of web sites: usernames, email addresses, snail mail addresses, phone numbers, passwords, and more – not to mention whatever billing information you have provided to sites you decided were worth paying for. But what do you know about the security of this information? The answer is likely, “not much.” The Web 2.0 equation includes a large amount of trust that service providers will do the right thing.
Unfortunately, as the DivShare example demonstrates, it’s not that simple. If you have put information out there in fifty places, there are fifty different places where it could be hacked, stolen, or misused. Though there is plenty of information out there for developers who need to implement secure web sites, there’s no guarantee that the developers of any particular site have read it – or made use of it.
Faced with this situation, the sensible thing to do is to protect your own information as well as you can. The first and most important step is to use some sort of password manager so that you are not sharing passwords between sites. While that won’t protect you from any given site being hacked, it does mean that information harvested from one place won’t let Bad People log on as you in another place. For maximum security, use different user names wherever you can.
The more you spread your identity around, the more you ought to keep an eye on it. At the very least, you ought to check your credit report annually; if your credit card info is in many places, you might want to consider one of the paid services that will monitor your credit report on an ongoing basis.
Ultimately, I’d like to see some standards emerge among Web 2.0 services in this area. One huge help would be automatic account sunsetting – if I haven’t logged on to your service in six months or a year, delete my information (obviously, there would need to be a way for users who don’t want this service to opt out). Failing that, you can try to keep track of your own registrations and delete the ones you aren’t using – though many sites make it tough to even do this.
What have you done to protect your own registration info online? Any tips for other readers?