Tag Archives: security

E3 Expo Leaks The Personal Information Of Over 2,000 Journalists

Photo: E3 2019

A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo.

The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well as the file itself, but the information has continued to be disseminated online in various gaming forums. While many of the individuals listed in the documents provided their work addresses and phone numbers when they registered for E3, many others, especially freelance content creators, seem to have used their home addresses and personal cell phones, which have now been publicized. This leak makes it possible for bad actors to misuse this information to harass journalists. Two people who say their private information appeared in the leak have informed Kotaku that they have already received crank phone calls since the list was publicized.

The existence of this document was first publicized in a YouTube video that journalist Sophia Narwitz posted to her personal channel on Friday night. (Narwitz has not yet responded to Kotaku’s request for more details about the discovery of this document.) In her video, Narwitz described how the file could be accessed: “On the public E3 website was a web page that carried a link simply titled ‘Registered Media List.’ Upon clicking the link, a spreadsheet was downloaded that included the names, addresses, phone numbers, and publications of over 2,000 members of the press who attended E3 this past year.”

Again, the E3 website has since been updated to remove this link, but cached versions of the site do indeed show that a link titled “Registered Media List” used to appear on a “Helpful Links” page. For some time yesterday, even after this page was removed, clicking on the link in the easily-accessible Google cached version of the page would download the spreadsheet from the E3 website’s servers.

“Before even considering making this story public, I contacted the ESA via phone within 30 minutes of having this information,” Narwitz continued in her video. “Worried that might not be enough, I also shot off an email not too long after. On top of that, I reached out to a number of journalists to make them aware of this.”

One reporter who asked to remain anonymous told Kotaku that he had been one of the people Narwitz contacted before publishing her YouTube video. That reporter says that Narwitz told him she had first learned of the document’s existence because someone had emailed her anonymously to say that they had discovered it and downloaded the information. After receiving this email, Narwitz purportedly then confirmed the file’s existence herself. The reporter who says Narwitz contacted him told Kotaku that he had cautioned Narwitz against publicizing any information about this spreadsheet until after it had been removed by the ESA. That reporter then contacted an ESA representative himself. After that, the direct link to the file was removed from the website. Unfortunately, the file itself was still accessible to anyone who knew the link or could find the Google cached version of the page.

After the page containing the link to the file was removed, Narwitz published her YouTube video about the leaks, seemingly believing that the file was no longer accessible. Soon after that, users noted on social media that although the link to the file had been removed, the spreadsheet file itself was still accessible. The anonymous reporter told Kotaku that he then contacted the ESA a second time and, at that point, the ESA deleted the file from its website. However, Narwitz’s video had already unwittingly publicized the existence and continued availability of the file, the contents of which continue to be shared online.

The ESA provided Kotaku with a statement about the leak. “ESA was made aware of a website vulnerability that led to the contact list of registered journalists attending E3 being made public,” it wrote. “Once notified, we immediately took steps to protect that data and shut down the site, which is no longer available. We regret this occurrence and have put measures in place to ensure it will not occur again.”

The ESA representative declined to respond to Kotaku’s other questions about why the file was not properly password-protected, how long the file had been available to the public, and whether this was the way that journalists’ personal data had been treated by the organization in past years.

Source: Kotaku.com

How the Facebook-FTC Agreement Will Affect You and Your Data

The Federal Trade Commission (FTC) and U.S. Justice Department (DOJ) have been taking Facebook to task regarding its recent privacy blunders, including the company’s failure to comply with a 2012 FTC ruling over how Facebook handles its users’ data.

While the DOJ lawsuit is still being litigated, Facebook recently agreed to an FTC order that requires the company to pay $5 billion in fines and submit to a 20-year oversight program—including annual reviews of its privacy and data collection practices.

The finer points of the FTC’s ruling mostly affect Facebook’s business structure and won’t have an immediate impact on the user experience (if any at all). However, there are several changes to how Facebook collects and disseminates data that will affect users—some of which build upon existing changes Facebook recently made, likely in anticipation of what was coming down the pike.

Here’s a quick rundown of the privacy changes that you should know about, and how they affect you and your Facebook data.

New rules for sharing data with third-party apps and advertisers

The FTC ruling sets stricter standards for how Facebook deals with third-party apps and advertisers. Facebook is now required to remove third-party entities that don’t comply with Facebook’s policies or cannot reasonably justify their requests for specific data from Facebook’s users.

This means that these apps and advertisers no longer have carte-blanche access to user data and must explain exactly how and why that data will be used, but the exact standards for “justifying” requests are not defined. That lack of definition could lead to a lot of grey areas regarding these rules, but Facebook users have several tools for seeing how their data is brokered, and controlling access to it. Most importantly, this ruling doesn’t place limits on how facebook can learn more about you; rather, it’s attempting to curb what Facebook sells to advertisers.

Better transparency for facial-recognition technology

Facebook now has to clearly alert users that it uses facial-recognition technology, be more forthcoming about how and why it’s used, and alert users if it updates its technology or functionality beyond what users were originally asked to agree to. The company also has to get express consent from users in order to opt them into facial recognition features in the first place—something it notoriously overlooked in the past.

We’ll likely see a better explanation of the technology and further refined opt-in/out user settings as a result of this ruling, but it’s important to point out that it doesn’t change current user settings—though we have a guide for reviewing and changing Facebook facial recognition settings.

New password storage requirements

Paradoxically, it was both shocking and unsurprising when reports exposed how Facebook’s poor password data protection. Thankfully, as per the FTC ruling, all password data must now be fully encrypted and the company is now required to regularly scan for plain text storage on its servers. Similarly, Facebook won’t be able to ask new users your email passwords to their other services, either.

Restricted collection of phone numbers

In the past, Facebook had ways of finding (and then distributing) your phone number, even if you didn’t supply such data in your profile. With this new FTC ruling, Facebook is now barred from “using” phone numbers it obtained through security features, such as two-step verification.

What’s unclear, however, is what exactly “using” means. Collecting them? Selling them? It’s hard to say, and that’s frustrating since Facebook has a habit of “accidentally” collecting phone numbers. Thankfully, there are ways to delete such information from your profile and keep Facebook from snooping around your device’s contact information.

Illustration of Facebook’s new privacy structure
Image: FTC

We won’t know the full effect users will see from these changes until they’re implemented and acted upon, but it’s hard to put much faith in these changes as long as the platform subsists on collecting and selling your data. We’ll have to wait and see how it all shakes out (including the still-in-progress DOJ lawsuit), but in the meantime, it may be wise to consider whether Facebook is worth keeping—or if you should delete it for good.

Source: Kotaku.com

Here’s Every New Privacy Feature Apple Announced Today

Apple CEO Tim Cook speaks at the Apple Worldwide Developers Conference in San Jose, Calif., Monday, June 3, 2019.
Photo: Jeff Chiu / AP

Apple has been facing increased criticism of its privacy practices lately and rightfully so. During CES 2019 last year, the company tried trolling visitors of the annual conference—which it famously does not attend—with a brazenly false piece of advertising: a massive outdoor ad declaring “What happens on your iPhone stays on your iPhone.” Nothing could be further from the truth.

Last week, the Washington Post published the results of one experiment that showed thousands of trackers siphoning data off the iPhone of technology columnist Geoffrey Fowler. “In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic,” he wrote. (Yelp alone was reaching out to grab Fowler’s IP address every five minutes.)

Apple’s big privacy claim was a lie, there’s no other way to put it—even if it did look catchy on the side of a Las Vegas hotel.

This year’s Worldwide Developers Conference (WWDC) saw a few privacy-focused announcements and none that would address all of the tracking issues discovered through Fowler’s experiment. But some options, such as new location sharing features for iOS 13, are a good place for the 43-year-old company to start. Others, such as Apple’s new login system, are exciting and will undoubtedly help consumers shield themselves from data vampires like Facebook.

Here’s every privacy and/or security-related feature, big and small, announced by Apple today:

Noise app

The first time we heard the word “privacy” on stage Monday it was a reference to the Noise app debuted for Apple Watch. The purpose of the app is to warn users when they’re in environments where sound levels are high enough to negatively impact hearing. “The watch can send a notification if the decibel level reaches 90 decibels, which can begin to impact hearing after four hours per week of exposure at this level, according to the World Health Organization,” Apple says.

Of course, in order for Noise to accomplish this, it needs to have its ears on. This type of always-listening technology scares a lot of people. Alexa users, for instance, freaked out when it was disclosed that actual human employees were listening to recordings taken from Echo devices.

Apple’s VP of health, Dr. Sumbul Desai, issued this promise: “It only periodically samples and does not record or save any audio.” According to Apple, none of the audio or sounds in the environment are saved by the app or sent to Apple; only decibel levels are sampled. That’s good news for users who work in loud environments and want to know if they’re potentially suffering long-term damage, but at the same time value their privacy.

Health data

Apple’s policies toward health data didn’t change on Monday, but the company announced a slew of new tracking features for the Health app, including the Noise app and the ability for women to log important information related to their menstrual cycles, called Cycle Tracking. These new features offered the company a good opportunity to emphasize its policies designed to protect what Apple’s senior vice president of software engineering, Craig Federighi, referred to as the most private of all types of personal information.

“Health is using machine learning on your iPhone to determine which highlights might be most interesting to you,” he said. “All of this health data is secured stored in your iPhone or encrypted in iCloud, and since there’s nothing more private than your health information, you control your data. You can decide if you want to share particular health data with select apps, if you’d like to share anything at all.”

Apple Login

Apple’s new login service is easily the biggest security and privacy announcement today. Social login options such as “Login with Facebook” are very popular because they bypass the need for users to create new identities on every single website they visit. In most cases, it’s a one-click profile creation system. But these are also very popular with companies like Facebook because they use this feature to track you and sell your information to marketers.

Apple’s promise is to not track users on “Sign in with Apple” and it will even create a buffer between consumers and the services they use. For instance, Apple will let you share your email account with a service if you want, but it can also generate a unique email address for you, which then forwards pertinent messages to your inbox.

As Gizmodo’s Patrick Howell O’Neill writes: “It’s a smart jab against spam: Not only will you be able to turn off spammy email more easily, but you’ll also be able to see who exactly is sharing and selling your email widely when that random address starts to get spam from companies buying up data.”

Find My

As someone who’s had to track down a stolen iPhone before, I’m a big proponent of Find My Phone. Apple announced an upgrade to this system that, at first blush, sounds a little nuts: the ability to locate an iPhone or Macbook, even when they aren’t receiving a signal, using other people’s devices.

According to Apple, this feature will work by forcing the device to occasionally transmit a “secure” Bluetooth signal. Other Apple products will sense the device and transmit its location.

“Let’s say you misplaced your Macbook. Even when it’s offline and sleeping it sends out a secure Bluetooth beacon that can be detected by other people’s Apple devices nearby. They can relay your Macbook’s location to the network and ultimately back to you so you can find it,” Federighi said.

“It uses just tiny bits of data that piggyback on existing network traffic so there’s no need to worry about your battery life, data usage, or your privacy,” he added, emphasizing the entire protocol is end-to-end encrypted and anonymous.

We’ve never seen a feature like this anywhere before, so it’ll be interesting to see how it works in the wild and whether it withstands attempts by independent researchers to exploit it.

Location Data

Apple is rolling out a simple, no-brainer update to the controls that users have over location data sharing. Finally, there’s a one-time location option.

“For the first time, you can share your location to an app just once and then require it to ask you again next time it wants it. If you do choose to grant an app the ability to continually monitor your location in the background, we’ll give you reports so you’ll know what they’re up to,” said Federighi.

He also noted that many apps try to bypass location-sharing restrictions by scanning for Bluetooth and WiFi signals in the area, which may reveal a users’ location. “We’re shutting the door on that abuse as well,” he said.

Kids’ apps

Lastly, Apple updates its policies on Monday officially banning the use of embedded trackers in Kids Category apps. We knew this was coming last week, but now it’s official, and here’s the language: “Apps in the Kids Category may not include third-party advertising or analytics.”

Apple also advises developers to “pay particular attention to privacy laws around the world relating to the collection of data from children online.”

Parent’s should keep in mind, this policy does not apply to apps on kids’ phones that aren’t downloaded from the Kids Category. If you don’t want your kids to be tracked, you’ll have to remain vigilant in monitoring which apps they download. 

Source: Kotaku.com

Update PCs Running Older Version of Windows Immediately

Those of you who are still running Windows 7 or earlier need to install critical patches that fix a recently-discovered security bug on older versions of Windows.

Earlier in May, Microsoft disclosed to its users that a serious security vulnerability—dubbed “BlueKeep”—was found on Windows 7 and other previous versions. BlueKeep could potentially grant hackers full remote access to someone’s PC through Windows’ Remote Desktop Protocol (RDP) by using code that exploits the vulnerability (also known as a “worm”). Such worms have recently begun to appear online, which you can see an example of in the video below.

After the BlueKeep bug was discovered, Microsoft released patches for all affected version of Windows on May 14. The problem is that only a small fraction of vulnerable users have installed these updates. According to Wired, a recent scan of Windows machines shows that at least 922,225 vulnerable PCs remain unpatched, though the actual number could be much higher. If you’re among the hundreds or thousands of users who have not updated your machine, do so now. The risk of keeping your PC unpatched is too great to ignore, even if you’re running a business and upgrading your stable of work computers is a lengthy chore.

For those who aren’t sure if you’re at risk, the computer security company McAfee released a tool that will check if Windows RDP is on your system. If it is, and/or you’re running Windows 7 or older, you need to download and install Microsoft’s patches right away to fix the bug.

Source: Kotaku.com

Prevent Amazon From Eavesdropping On Your Alexa Conversations

Photo: Fabian Hurnaus (Pexels)

Fun fact: Snippets of your Alexa conversations may be heard and read by thousands of Amazon employees. According to recent reports, Amazon has an international team of employees who work to help Alexa better understand your many commands and develop new ways for the AI to interact with users. This requires them to listen to snippets of what your Echo speakers and other Alexa devices are recording. Sounds eerily familiar to us.

Not only are real people listening to you talk to (and around) Alexa, but the conversations they listen in on are being transcribed and annotated by Amazon’s employees. These transcriptions are then used to “teach” the Alexa AI to recognize more commands.

If you’re sketched out by this, we understand. Especially since what you say is only kind-of, sort-of associated with your account, as Bloomberg describes:

“A screenshot reviewed by Bloomberg shows that the recordings sent to the Alexa reviewers don’t provide a user’s full name and address but are associated with an account number, as well as the user’s first name and the device’s serial number.”

While you’ll never be able to stop Amazon employees from listening in on whatever you say to your Alexa, you can at least turn off any features that make this easier. For example:

  1. Open the Alexa mobile app
  2. Tap the Menu button in the upper-left of the screen
  3. Go to Alexa Account > Alexa Privacy > Manage how your data improves Alexa
  4. Turn off “Help develop new features” and “Use messages to improve transcriptions” for all profiles on your account

Bloomberg notes that Amazon’s team might still analyze your Alexa recordings “by hand,” but this at least opts you out of some facet of Amazon’s voice study. The only real solution at this point is to ditch your Amazon devices altogether, but adjusting these privacy settings should hopefully help keep unnecessary third parties out of your business a little bit.

Source: Kotaku.com

Man Pleads Guilty To Hacking Both Microsoft And Nintendo

A 24 year-old man from England has pleaded guilty to charges of hacking into both Microsoft and Nintendo’s servers, causing an estimated $3-4 million damages.

As The Verge report, Zammis Clark—a former security researcher at Malwarebytes—went before a court in London this week accused of accessing servers at both companies, stealing user information, accessing files related to unreleased products and illegally sharing login details.

He was arrested in June 2017 for his actions against Microsoft, which included hacking into servers that contained “confidential copies of pre-release versions of Windows”.

Yet after this arrest his online access went unrestricted, and in early 2018 Clark used a VPN to get access to Nintendo’s servers, including those used for “highly confidential game development”, and which held “development code for unreleased games”.

Despite his repeat offences, and the severity of them, Clark won’t be facing prison, at least in the near term. Because he is both autistic and has “face blindness”, the judge deemed that prison would pose a risk to Clark’s safety, and taken in light of his parent’s work in attempting to care and rehabilitate him, decided to issue a suspended 15-month sentence.

You can read the full story at The Verge.

Source: Kotaku.com

How to Submit a Bug Report to Apple, Google, Facebook, Twitter, Microsoft, and More

Image: Unsplash

Leaky security, hardware exploits, crashes, broken features—every piece of hardware or software is prone to bugs and vulnerabilities, and it’s likely you’ve had the misfortune of dealing with them at some point in your tech life. While most people grin, bear it, and wait for the problem to fix itself, you can also take a more active approach to bugs and other security disasters by reporting your findings.

The problem? You might not know how or where to submit a bug report when you encounter an issue. To make this process easier, we’ve taken a look at the most commonly used apps, services, and hardware manufacturers, and consolidated their bug reporting tools into one big list.

Some tips on bug reporting

Though our list explains how to submit bug reports for frequently used apps and services, it’s not exhaustive. If you don’t find what you’re looking for, here are some quick bug reporting tips and best practices:

  • Some apps and programs will allow you to send a crash/bug report directly. If you’re experiencing frequent crashes, and this option is available, take advantage of it. Often times these auto-reports will include information you’d otherwise have to manually include, making the process much easier.
  • Write down (or take screenshots of) any pop-up boxes or error codes, if possible. Be detailed about what and how the bug, error, or crash happened, and make sure to include your hardware/software specifications where applicable. These detail swill be helpful to include in your bug report (and might be required in some cases).
  • If you’re submitting a bug on a forum or message board, make sure to read any posting guidelines, which usually require you to run a preliminary search to see if your specific bug has already been reported. While repeat reports help a bug get fixed faster, some bug report forums have strict requirements for how to submit reports for the same bug or error.
  • If you’re looking for a company’s bug bounty program or how to submit a security-related vulnerability, these links can usually be found on Bugcrowd or Hackerone. Remember, these programs are more geared for high-level issues and major bugs, not your average performance hiccups, and therefore have strict guidelines for submission.

How (and where) to submit bug reports

Adobe (Creative Cloud, Photoshop, Illustrator, Premiere Pro, Acrobat Reader, etc.)

  1. Visit Adobe’s bug submission and feature request form.
  2. Select the product from the drop-down menu and agree to Adobe’s terms and conditions.
  3. You’ll then be taken to the bug/feature request page for that specific product. Complete the form and submit.

Security vulnerabilities can be reported directly to PSIRT@adobe.com

AMD

  1. If you’re experiencing hardware issues or graphics-card related crashes, use AMD’s dedicated bug report survey page.
  2. Select your product.
  3. Follow the instructions to submit a bug or error report. Be sure to include any crash or error text.

AMD maintains the company won’t reply directly to bug reports, but more frequently reported issues have a higher chance of getting fixed in future updates.

Apple 

Asana

Dropbox

  1. Visit this page and create a new account for Dropbox’s support system.
  2. Fill out the form to submit a help ticket.

You can also contact Dropbox’s customer service, or search the Dropbox help desk. for account- and feature-related questions or concerns.

DuckDuckGo

  1. Go to DuckDuckGo’s bug and security report submission form.
  2. Select either desktop- or mobile app-related bugs, or security vulnerabilities.
  3. Follow the instructions and fill out the required forms to submit your report.

Evernote

  1. Visit Evernote’s support page and log in with your Evernote account credentials.
  2. Submit your support ticket.

You can also send security vulnerabilities directly to security@evernote.com.

Facebook 

  1. Visit Facebook’s Help Center.
  2. Click “Reporting a Problem with Facebook” under the “Policies and Reporting” drop-down menu.
  3. Follow the instructions, fill out all required information, submit your issue.

You can also send security vulnerabilities to Facebook’s Bug Bounty program, if you’d like a little return for your (qualified) efforts.

Google, Android, Chrome, and other Google Services

Google has lots of products, and some of them have dedicated bug submission pages, while the rest use a generalized submission form.

Chrome:

  1. Open Chrome on a desktop or laptop PC.
  2. Click the three stacked dots icon in the upper-right corner of the browser.
  3. Go to Help >Report an issue.
  4. Write your bug report, making sure include as much information as possible.
  5. Click “Send.”

Android OS bugs and other Google apps/services:

  1. Visit Google’s page for reporting security vulnerabilities.
  2. Select the option that best fits your issue, and follow the instructions to submit your report.

Google also has a bug bounty program, which you can learn more about here. (You also use the “Reporting Security Vulnerabilities” tool to send those in.)

Instagram

You can report your Instagram issues by doing the following:

  1. In the Instagram app, go to your profile.
  2. Tap the three stacked lines icon in the upper-right corner.
  3. Tap the gear-shaped Settings icon.
  4. Scroll down and tap “Report a Problem” in the “Support” section of your Options screen.
  5. Follow the instructions and fill out all required information.

If you’re looking to report a security-related concern, you can submit these to Facebook’s bounty program.

Lyft

Use this page to submit issues and bugs for the Lyft app and website. Lyft also has a bug bounty program, but it’s invite-only.

Microsoft

Windows 10

  1. Open the Windows 10 Feedback Hub from the Start menu or by typing “Feedback Hub” into the search field on your desktop’s taskbar.
  2. Click “Report a Bug” and follow the instructions to send in your issue.

Xbox

If you’re an Xbox Insider, you can report bugs by holding down the Xbox button on your controller and using the “Report a problem” option.

Security vulnerabilities

Mozilla

Netflix

Netflix lets users report playback bug or performance issues through a simple online submission form, while its bug bounty program handles security vulnerabilities.

Nintendo

  • Submit software bugs, errors, hardware issues, and other concerns through the official Nintendo Support contact page.
  • On the other hand, bugs or concerns relating to the Nintendo website should be submitted through this web form.

Nvidia

Paypal and Venmo 

Submit all bug and vulnerability reports to Paypal’s bug bounty program.

Reddit

Slack

Snapchat

Reporting a bug via the Snapchat app is actually kind of novel:

  1. Shake your device to pull up the “Bug and Suggestions” submission menu.
  2. Select the relevant option and make your report.

You can also send bug or vulnerability reports from your web browser with this web form, or via Snapchat’s bug bounty program on Hackerone.

Sony

General Sony products:

PlayStation:

  • Technical bugs related to PlayStation services and hardware can be submitted to PlayStation’s support team in several ways, including online, on Twitter, through email, chat, over the phone, and more. Check this page to find the method most relevant to you.

Spotify

Trello 

Learn about what makes for a great Trello bug report here, and then submit your issues via Trello’s support page.

Tumblr

Twitch

  • Send technical bugs and performance issues to Twitch support. 
  • Submit security vulnerabilities and bounties to Twitch via this form.

Twitter

  • Twitter’s help page has a dedicated bug report submission form for bugs related to both the web version and apps. You can also Tweet problems you’re having to @TwitterSupport.
  • Twitter has a Hacker One bounty program for finding, reporting, and fixing security vulnerabilities.

Uber

All security vulnerabilities can be submitted to Uber’s Hacker One bounty program.

Valve (Steam marketplace)

WordPress

Source: Kotaku.com

A Gamer’s Guide To Not Getting Hacked

If you play video games, you are an ideal target to get wrecked by hackers.

Sure, you’re tech savvy—you know what a hard drive is and have seen an HDMI cable or two in your day. Still, there are some unassailable, totally exploitable truths about gamers: They are very online. They log in to a lot of stuff. They have some money. They want to be better than other gamers. And they like to use the password “Dragon.”

This post originally appeared 5/1/18.

In 2018, hackers broke into thousands of Fortnite players’ accounts and siphoned hundreds of dollars at a time. How? Those players had used their username and password combinations somewhere else on the world wide web. And somehow, they got leaked. Now, they’re begging for big refunds and scurrying to protect themselves from further financial harm. It was a preventable disaster. And we’re here to teach you how to prevent it.

Here some some tips on how to stay safe while gaming.


What matters when it comes to security?

Everything matters. That sucks to hear, I know. Security is like a balloon. If there’s even one hole, it’s not a balloon anymore. When it comes to your gaming apps, if you have unique passwords on your Blizzard and Epic Games accounts, but not on your five favorite gaming forums’ accounts—and if you use those same passwords on PayPal, e-mail or Facebook—then you’re vulnerable to hacking.

Password leaks happen all the time on all sorts of sites. Hackers can input your niche Everquest forum password into, say, your banking site if you use the same password for both. And then you get screwed. It’s that simple.

Think about everything you have an account for. Your PlayStation Network account, your Microsoft account, your Battle.Net account, your Steam account, your Reddit account… when you add it up, that’s a lot of stuff! And each of these accounts contains at least a little personal information, whether it’s your first and last name or your credit card number.

It can seem really intimidating to stay vigilant about so many accounts, but with good habits in place, keeping everything in check can become second nature.

Where do I start?

Start with your passwords. We all know “Password123” is easy to guess. But so is “Dragon.” “StarWars,” “monkey” and “football” are extremely common for the same reason—turns out a lot of people like popular stuff. It’s also likely that your unique, fun password you’ve kept since the fourth grade—“Pikachu,” maybe—is just as easy to figure out.

You need to have crazy passwords for everything. According to our sister site Lifehacker, passwords that are long and include numbers, capital letters and symbols are great. Don’t use common phrases or words. BiRdSaNdBeEs_123 isn’t as great a password as bVWx633HVN7Z.a!=.

Changing your passwords is totally tedious, but on the back end of a security breach, extremely worth it. Spend a few days recording which websites and apps you use regularly. Likely, it includes some combination of Facebook, Gmail, Twitter, Reddit, YouTube, Discord and Amazon. For gamers, that list might include Battle.net, Steam or Xbox Live. Write all of it down. Then…..

Download a password manager

You simply cannot remember 20 very strong passwords. If you can, your passwords probably aren’t strong. You need a password manager. And a lot of password managers can even help you come up with secure passwords.

Since browser-based password managers like the one in Opera have been hacked before, I recommend downloading a password manager onto your phone. I use LastPass. Other people like 1Password. That way, you’ll only have to remember the password to your password manager (or you can just use your fingerprint).

Enable two-factor authentication

Two-factor authentication is a fancy way of saying, “the app asks you to verify yourself.” All it means is that, when you log in to something, you’ll receive a text message or an e-mail with an additional code. You can also get a special app that generates this code on your phone. No one will be able to log into your account unless they enter that code into the client.

Opting in to two-factor authentication can mean the difference between someone else logging into your MMORPG account and stealing all your hard-earned gold and, well, that not happening. Getting a two-factor authentication code when you’re not trying to log into something is also a great way to know someone’s trying to hack you!

Lots of gaming apps let you enable two-factor authentication. Here’s a list from TwoFactorAuth.org plus links to instructions on how to enable it:

If you just scrolled through this and wondered, “Where’s League of Legends?” or some other service not listed, then I have some advice for you: E-mail them! Make sure they know you want this security feature. Basic two-factor is something worth demanding.

Opt out

Here’s a fun fact: Random Call of Duty players you add as friends on your PlayStation might be able to see your first and last name! Maybe that’s cool with you. Maybe it’s not. Either way, you should know whether you’re leaking personal information you don’t want leaked.

Your PlayStation, Xbox, Steam account, etc. all have privacy settings. The Switch has very limited customization options here, but that’s because Nintendo’s online service doesn’t show friends your real name, anyway. You should familiarize yourself with the privacy and security settings for all your gaming accounts and modulate them to your liking. The PlayStation Network’s settings, for example, ask whether you’d like people on your friends list to see your real name. Microsoft blocks Xbox users’ real names by default, although there was once a bug that temporarily revealed people’s names. Now on Steam, you can even hide how few hours you’ve actually played of PlayerUnknown’s Battlegrounds.

Recognize Phishing

Wow, free Fortnite V-Bucks! Booyah! All I need to do is enter my social security number into the website f0rtn1te.net!

Nothing cool is free in online gaming. Even if all your passwords are perfect and you have two-factor enabled on everything, that won’t stop you from falling for hackers’ tricks.

Any sites or people offering free video game skins, currency, etc. are shady, and especially if a stranger messages links to you through an online game. If you receive an e-mail from a strange address telling you that your Elder Scrolls Online account has been compromised, and that you need to give them your username and password, type that address into Google to make sure it’s legit.

Sometimes, hackers will copy the look and feel of sites you frequent to make their scam see legitimate. If a website starts with http:// and not https://, that can be a red flag. If the website is http://www.ep1cgames.com, and not https://www.epicgames.com, that’s a big red flag.If the website is asking you to download something before proceeding, and that something is not Adobe Flash Player, Google what it is before just automatically downloading it. Most computers these days come with decent antivirus software that will let you know whether you’re downloading insidious malware, but it doesn’t hurt to double up. Here are some good options.

Don’t put your personal information out there

A decade ago, your parents probably warned you about the “strangers” and “dangerous people” haunting AOL chatrooms. Maybe they said that telling MMO buddies your first name could mean inviting some 50-year-old mouthbreather to stand outside your window all night. We’ve been on the internet long enough to know that, for the most part, people who play games online are not going to stalk you because you told them what city you live in. That said, it’s hard to vet how safe online friends are. And it’s easy to leverage even the tiniest bits of personal information against someone.

Somtetimes, even just knowing your mom’s maiden name can be the key to your goods. Other times, someone can impersonate you to your cell phone provider’s customer service rep using your birthday and the last four digits of your social security number. It might not even take that much. People voluntarily overshare on Twitter and Facebook all the time.

If you are playing video games online—or streaming yourself playing video games—here’s a handy list of topics to avoid to protect yourself from potential harm:

  • Your full name
  • The full names of the people closest to you
  • Your exact birthday
  • Your address or a picture of your home
  • Your phone number
  • Your social security number
  • Any banking information
  • Where embarrassing photos of you live
  • Physical places you frequent (i.e. schools, restaurants, stores)

Any combination of this information can spell out exactly who you are, where you live and how to find you. You will need to rely on your own judgment when it comes to trusting strangers. Suffice to say, there isn’t any reason to give out any of the above information to anyone you’re gaming with. (Bonus: You can get a gaming-specific VPN—or, a private network that masks where you are—to really protect yourself from getting tracked.)

Don’t do anything stupid, stupid

One time in 2008, I tried to pirate a copy of Spore and got a virus that bricked my computer instead. Did I deserve to have my $600 laptop destroyed? Probably not. But did I have it coming? Definitely.

Listen, if you’re trolling darkweb marketplaces for high-ranked League of Legends accounts, you’re inherently putting your security at risk. Games’ Terms of Service exist to protect developers, yes, but also, to protect gamers. If you’re doing something that flagrantly breaks a game’s Terms of Service, like purchasing in-game currency or installing cheat software, you could be giving an opening to hackers.


The sad, solemn truth is that it is impossible to account for everything. It really is. Good hacks happen to good, vigilant people. However, with these tips, you can exercise a little more control over the chaos that is the internet.

Source: Kotaku.com