Users need to be mindful of the ways in which hackers can take over their accounts, according to Brian Krebs. Krebs says his experience as the owner of an “OG” Gmail address made him realize how many people don’t realize that backup email addresses can be used to gain access to their primary email accounts.
Short usernames on popular platforms are known as OG (original gangster) accounts, and they’re usually scooped up by the platform’s early adopters. These accounts are coveted by certain online communities, and they’re often targeted by hackers and traded on underground forums.
Krebs says he registered for a Gmail account sixteen years ago and was able to get a short, simple email address that hadn’t yet been used. (He wisely doesn’t reveal what the email address is.) The account receives a lot of spam and account takeover requests, but Krebs says he isn’t surprised by this.
What he didn’t expect, however, was how many people would use his email address as their backup email when they created online accounts, apparently failing to understand that someone actually owned that email and could now reset their password.
“This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few,” Krebs writes. “I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into. I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.”
Krebs concludes that keeping security in mind when you set up an account is worth the extra effort.
“Losing access to your inbox can open you up to a cascading nightmare of other problems,” Krebs says. “Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address. More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider.”
New-school security awareness training can teach your employees how to keep their online accounts secure.
KrebsOnSecurity has the story.