JerseyMail users got some bad news recently. The local email service provided by Jersey Post was affected by the Heartbleed bug. Users have now received basic advice for resetting email passwords but need to take additional steps quickly.
Basically, many computer servers failed to correctly limit the length of certain types of responses and were returning far too much information to specially crafted requests. What information? Anything that happened to be stored in the server’s temporary memory, including user account credentials. As a result, more than 400 local accounts were compromised and user-names and passwords leaked. JerseyMail did nothing wrong here, computer bugs happen and this was a particularly bad one. Whoever carried out this attack on the JerseyMail server(s) also is reported to have deleted customer emails. JerseyMail clearly follows best practices for this kind of thing and has restored deleted emails, presumably from backups.
Resetting email passwords isn’t good enough
If you were affected, you should have received an email from JerseyMail by now telling you to “Change your password ASAP”, with the recommendation that it “…needs to be 8 characters long, different to any previous passwords used, mix of alpha, numeric and punctuation characters”. This isn’t quite good enough and you should be taking several additional steps not yet mentioned.
Users with compromised accounts must assume that the attacker was also able to access any third-party accounts connected to the JerseyMail accounts. For example, you probably use your email address to log in to a banking website, or Apple’s iTunes store, or Amazon, or other services like that. Now if an attacker has stolen your credentials and logged in as you, she can click the “forgot password” link for those services and have a password reset email sent. Since the attacker already has your email account under her control, she can quickly leverage this to take over more of your accounts.
Check Account Recovery settings, too
Setting aside the obvious need to change passwords for a moment, let’s look at another big problem. Accounts usually have a recovery option. It may be a secondary email address, a set of security questions, or something else. This will vary by service but you must also check that these are correct. If you reset your password and the attacker has changed your security questions or secondary email, you will quickly lose control of your account again.
Check account recovery settings first and make sure that they are correct. Forget about answering security questions truthfully, too. Pick something like “Favourite colour = SaintOuensBay” and not “Favourite colour = blue”. Use obfuscation as an additional layer of security. And never re-use passwords between services. Attackers always test for this first thing and you are making it too easy for them to succeed.
Once you have logged in to your JerseyMail account and reset your password and verified account recovery settings are correct, you must also do the same for your connected accounts. Sure, it is tedious but realistically this should only take 30 minutes or less. And if you don’t bother, you will be spending a lot longer than 30 minutes dealing with a compromised bank account or a bunch of unauthorised charges on connected accounts.
This is also a great time to start using a password manager, or at least let your browser store passwords so you can have strong, unique passwords per-site without having to memorise them all. This isn’t perfect but it probably beats your current methods.