It was a bad week for nearly a million people who use the Internet.
Yesterday (July 12), we told you about the Yahoo! Voices data breach, which exposed the email addresses and passwords of 450,000 people.
But that wasn't the only big data breach this week.
On Tuesday (July 10), the question-and-answer Website Formspring revealed that 420,000 encrypted passwords had been posted online, suspended passwords for its 28 million registered users and asked that they all change their passwords.
The same day, the AndroidForums.com discussion site revealed that an unknown number of IDs, usernames, email addresses and encrypted passwords had been compromised.
On Wednesday (July 11), hackers calling themselves WikiBoat posted about 21,000 email addresses and unencrypted passwords stolen from Billabong.com, the website of the Australian surfing-wear maker.
Also on Wednesday, a rival hacker group calling itself Nullcrew posted usernames, possible email addresses and encrypted passwords of 568 registered users of the World Health Organization website.
Yesterday, the graphics-card maker Nvidia announced that it had suspended its forums "in response to attacks on the site by unauthorized third parties who may have gained access to hashed passwords."
Nvidia did not disclose how many users might have been affected, but noted that usernames, email addresses, names and birth dates may have been compromised.
In a separate incident yesterday, Nullcrew returned and posted email addresses and usernames for about 1,000 registered users of the PBS website, along with encrypted passwords for about 75 users.
(Anyone worried whether their password has been compromised should check the website https://shouldichangemypassword.com/ ; it has a searchable list of all email addresses recently exposed.)
Dumb and dumber
No website should allow its user database to be breached, but the real egregious offenders here are Yahoo! and Billabong. Formspring, Android Forums, Nvidia and even the nonprofit PBS and World Health Organization encrypted (and, at least in the case of the first two, salted) their passwords.
Yahoo! and Billabong didn't even take that elementary step. Anyone looking at either list — they're not hard to find online — can see what the user passwords are, and many of those passwords can be used to unlock accounts on other websites.
Nearly half a million people are at risk of account hijacking and identity theft, partly thanks to those two companies' sloppy security practices.
In fact, the Yahoo! and Billabong breaches are even worse than the LinkedIn and eHarmony breaches last month — the latter two companies had at least weakly encrypted their users' passwords.
Queries seeking comment from Billabong were not immediately returned.
Don't be a victim
You can't control the security policies of the companies you register with, but you can minimize your chances of identity theft and account takeover with a few simple steps.
First, make your passwords long and complicated. Use at least eight characters and toss in numbers, upper-case letters and punctuation marks. If you can remember total gibberish, use that; otherwise, base your password on something that's not normally found in a dictionary or a book of quotations.
Second, don't re-use passwords, at least not for Web-based email or for any site that involves financial transactions of any kind, including banks, brokerages and any online retailer that offers to remember your credit-card number for you.
Third, and perhaps most difficult, change your important passwords every few months. It's fine to subtly change existing passwords by transposing characters or substituting numbers for letters — just do it regularly.