One of the little known ways hackers can penetrate websites and spread Malware is through compromised FTP accounts.
FTP stands for File Transfer Protocol. FTP is used to upload and download files to and from a web server.
If you are using a shared hosting account, FTP is enabled by default and be a major risk to your website security.
Often these accounts credentials are shared on underground internet forums and the Dark Web.
The problem begins with weak passwords on FTP accounts and the ability of hackers to brute force or simply download FTP credentials online.
MILLIONS OF FTP ACCOUNTS EXPOSED
Recently we found a file with over ONE MILLION FTP account credentials in a free online forum. This means anyone with the list can log into the web servers, upload, delete or download anything they want.
They have complete control over the file system and is a little known way hackers use to steal credit cards.
Recently a client who was exposed to an FTP hack allowed them to steal credit card details very secretly from every order placed on their website.
Credit card information was sent to a backend server where the data was stored, sold and shared online.
The first step is, if you don’t use FTP is to simply change your FTP passwords to something strong, if possible remove any unused FTP accounts.
If you are unsure how to do this, reach out to your hosting provider and they will be able to do this for you.
If you want to use FTP, make sure you use STRONG passwords.
You can create strong passwords @ Strong Password Generator
Strong passwords means using a combination of numbers, letters (lower and upper) and special characters such as @, !, %, ^,& etc.
This makes brute force (many attempts to guess your password) much more difficult.
Passwords at least 32 characters are recommended. Even better use Password phrases (passphrase), these are much harder to be brute forced.
What is a PassPhrase?
A Password phrase is simply a phrase, which are generally much longer than typical passwords and are very difficult to brute force or guess.
Don’t use a common phrase like song lyrics or something easily guessed.
Bad Passphrase Example: Mary had a little lamb
Good Passphrase Example: Cap Bolt Don Single Time
Now, using a unique Password or Passphrase on each site you use is even more important.
Most data breaches where usersnames and passwords are stolen either go unreported or the reporting is delayed.
Yahoo suffered a data breach in 2013, it wasn’t disclosed for 3 years:
In August 2013, “malicious actors were able to gain access to Yahoo’s user database and took records for all existing Yahoo accounts,” which was approximately 3 billion, according to the settlement website. This data breach wasn’t disclosed until years later 2016 and is considered the largest hack in history.
https://www.usatoday.com/story/money/2019/10/14/yahoo-data-breach-117-5-million-settlement-get-cash-monitoring/3976582002/
Using a free password vault is the easiest way to keep track of your passwords.
Storing passwords securely so you don’t have to remember them and allow you to quickly login