In light of the various hacking incidents and alleged incidents that came to light in the four days starting on Christmas Eve/the final night of Hanukkah, you need to change your passwords and keep an extra-sharp eye on your payment-card accounts.
Of course, such an announcement inspires you to ask: “Which of my passwords and cards are we talking about, here? Which specific ones must I worry about?”
The play-it-safe answer seems to be “All of them” – at least according to the scariest reports to come out of the four-day holiday weekend.
First off, video-game players had a lousy Christmas after hackers shut down the Sony PlayStation and Microsoft Xbox live-gaming networks with apparent dedicated denial-of-service (or DDoS) attacks: flooding the Xbox or PlayStation servers with so many false login requests that no genuine players could get in. (In telephone terms, imagine thousands of phones programmed to repeatedly call a single number, for the sole purpose of tying up that line and preventing any legitimate calls from getting through. A DDoS attack does the same thing over the Internet.)
For the millions of people who received new PlayStations or XBoxes for Christmas, the DDoS attack meant they couldn't set up their new consoles, and nobody could connect for multi-player games.
A group of hackers calling themselves “the Lizard Squad” claimed credit for the attacks, and apparently even managed to make a $300,000 profit from their activities: on Dec. 26, MegaUpload founder Kim Dotcom reportedly offered the Lizard Squad hackers 3,000 vouchers worth $99 apiece for his content-hosting service, if Lizard Squad would stop the DDoS attacks.
Today, security expert Brian Krebs unveiled the identities of the people he believes are behind the “Lizard Squad” – or at least the identities of the people who've been giving media interviews while claiming to belong to the Lizard Squad.
The next day, Dec. 27, came news that a possibly different bunch of hackers claiming to be associated with hacking super-group Anonymous had supposedly stolen and then leaked 13,000 account numbers, passwords, and/or customer credit-card information from a wide variety of websites, companies and corporations including Amazon, Walmart, PlayStation Network, Xbox Live, Hulu Plus, Dell and many more (including several pornographic sites).
That long, long list of affected websites and companies made it sound like a massive, major hacking indeed — until you realize that 13,000 stolen accounts would be a relatively small number for even one of those mega-companies, let alone that entire list.
Apparently, the hackers didn't actually manage to “hack” into the databases of the companies on the list; more likely, they planted malware on individual users' computers or other devices, and stole passwords and other account information from that end.
That's how Russian hackers managed to steal and post 5 million Gmail passwords last September – or so it seemed. When news first broke of “5 million Gmail passwords” leaked in a secret hackers' forum, observers initially worried that Google's actual Gmail databases had been compromised, but that wasn't what happened. Instead, hackers stole passwords and other account information from other, less-protected sites, such as registration-required discussion forums or article comments, then tried those passwords with the victims' other accounts and discovered that they worked.
That might be how hackers got those 13,000 leaked passwords over the holiday weekend, too. But the key word there is “might” – if you have accounts with any of the companies Anonymous listed this weekend, even if all of your passwords are unique and never shared across accounts, you might want to change your password and should definitely keep an extra-sharp eye on any credit or payment cards attached to those accounts, just in case.
The Internet itself
Of course, these weren't the only hacking stories to mar the peace of the holiday weekend. The day after Christmas came news that the Internet itself had been hacked – or at least the website of the Internet Systems Consortium, ISC.org, which went down “for maintenance” that day (and remains down as of press time) because it had been infected with malware – though the ISC says “We have not had any reports of any client machines that have been infected from our website.”
What is the Internet Systems Consortium, and why should you care about it? The short and simple answer is: because the entire planetary “Internet” as we know it essentially resides among 13 different global authoritative DNS (domain name servers) – no DNS means no Internet – and the Internet Systems Consortium operates one of those 13 servers.
So that's the list of holiday hacking victims: the two major gaming networks, various customers of almost every major online retailer or entertainment service provider, plus roughly one-thirteenth of the foundations of the Internet itself. You might enjoy taking time off during the holidays, but criminals never do.