There is an obvious question here, right?
Why do you still have this database sitting around?
Seriously, why? Either you’re telling the truth and you have a vulnerable system sitting out there that you’ve never even used, or you have been using it and you’re lying to save face now that data has been breached. Neither one makes you look particularly good, does it?
I mean, you really should use one for the obvious reason listed here, it lets you create a ton of different passwords, and make them complicated enough that they are hard to crack, since you no longer have to remember them, but they also make it easy for you to help someone gain access to important information and accounts when you are unable to. Because believe me, it happens.
The breach of the WordPress credentials is bad, as is the sFTP credentials. Sure, if you are still using the same WordPress password that GoDaddy assigned to you when you started the account, you really need to step up your game.
WordPress is an inviting target, because getting admin access to a WordPress install, or really any other content management system, makes it super easy to lock out the original owner and inject anything you want into the site. Want a place to spread malware in drive-by injections? Nothing like an already existing, and maybe even trusted, WordPress site, eh?
And so, I wonder if those yearly, semi-annual, quarterly, video training would be a lot more effective if we also shared specific examples of people who got phished, and how they fell for it?
Like most things in life, it’s one thing to hypothetically know that something could happen, but it’s quite another to know that it did happen to someone we know. Someone just like us. That makes it so much more real in our minds, and it appears to make a huge difference in how users might approach phishing attempts.
Most people do the right thing with passwords for financial accounts, but all the websites that make them create an account just to read an article? Who really cares if that account gets hacked? Why not just use the same password for all of them? What’s the hacker going to do, read USA Today as them? Who cares?
That is all just normal, human, behavior. The thing that should scare the hell out of security professionals is how many people view their work access the same way. They don’t care. It’s not their data, it’s just the place where they happen to work, for now. This shows in the low number of people creating a strong password for their work accounts. (It also shows how making them change it every few months really just backfires.)
And so, I repeat. Do not give out any information to someone who calls you. Hang up, and call your bank directly.
Go read the whole thing for more of the details on these services, and how they work. It’s interesting. But if you remember nothing else, remember that when anyone calls and says they are calling about your account, a legal issue, etc. Hang up, and call the place they say they are calling from directly. That’s not how any legitimate business works anymore, so the second someone calls you and starts asking you to verify who you are, be suspicious and hang up.