If you are one of the estimated 320,000 Time Warner Cable customers whose email credentials were stolen last week, simply changing your email password is not enough to protect you from possible exploits by hackers.

Cybersecurity experts in Maine are advising all Time Warner customers using the company’s Roadrunner email service to take a number of steps. They include changing all online account passwords that were identical to the email password, using different passwords for all accounts in the future, and changing them regularly.

On Thursday, Time Warner confirmed that the passwords of as many as 320,000 of its residential customers nationwide who have email addresses through the company may have been stolen in a hacking attack.

The company would not confirm whether any of its approximately 380,000 Maine customers were affected, saying only that the breach included “residential customers across our markets.” Time Warner, the largest cable provider in Maine, has 16 million business and residential customers in 29 states, according to its website. The company also offers television, telephone and Internet services.

On Friday, a Time Warner spokesman said the FBI is leading the investigation, since the passwords were stolen from a third-party vendor and not from Time Warner itself.

Customers in Maine who use Roadrunner email addresses, which end in “maine.rr.com,” are at risk of their accounts having been compromised and should change their passwords as a precaution, the experts said.

Joshua Silver, who specializes in cybersecurity for the Bernstein, Shur, Sawyer & Nelson law firm in Portland, said there are several malicious things a criminal can do with access to someone’s email account.

“There’s actually a lot more value in email accounts than you might think,” he said. “Think of all the personal information that’s in your emails.”

One of the most valuable assets is the user’s list of email contacts, Silver said. It can be used to send “phishing” email messages that direct the recipient to download malware or visit a malicious website. Because the emails are being sent from the hacked user’s account, they appear to be coming from a trusted source.

The hacker also may attempt to impersonate the hacked user, he said. For example, the hacker may try to contact the user’s financial institutions using the email account to request sensitive information or funds.

John Forker, chief information security officer of the University of Maine System, said many online accounts use a person’s email address as their user ID. Therefore, a stolen password can give the criminal everything he or she needs to break into the account if its password is identical to the email password.

In other words, changing the email password alone isn’t enough.

“Change the password not only for that account, but for all other accounts that have the same password,” Forker said.

Another prevention tip is to use a different password for every account so the hacker cannot compromise more than one, said Jane Margesson, spokeswoman for AARP Maine. Many people – young and old – use the same passwords over and over, she said. Unfortunately, doing so turns the stolen password into a master key to access all accounts.

Passwords also should be changed periodically so that older ones, if stolen, will be useless to the thieves, Margesson said. “We strongly recommend that people change their passwords every six weeks,” she said.

If an email account containing sensitive information has been hacked, or is suspected to have been hacked, the user can contact the three major credit reporting agencies and have their credit reports frozen, Margesson said. Freezing a credit report prevents anyone from obtaining credit without a special code issued only to the legitimate account holder.

Freezing and unfreezing credit reports is free in Maine and can be done at any time, she said.

For more information, the AARP recommends contacting the Maine Bureau of Consumer Credit Protection at 1-800-332-8529 or the Maine Attorney General’s Office at 1-800-436-2131 or www.maine.gov/ag.

 


Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.