Apple introduced two-factor authentication to its iCloud and Apple ID login today, adding a layer of security that was proven missing after Wired reporter Mat Honan’s iCloud account was broken into last year.

Two-factor authentication makes your accounts more secure because it’s just an added defense between your information and the bad guys. Some forms of two-factor authentication require that you have a separate dongle that flashes different security codes to enter before accessing your account. Others, such as Google Authenticator, generate these codes on an app on your phone, and others like Facebook send a text message with the code.

Apple will be using both the app and SMS versions, providing security codes through texts as well as the FindMyiPhone app.

You can set up two-factor authentication by going to the Apple ID website and clicking on the security tab. From there, Apple will ask you to identify a “trusted device.”

In 2012, we learned how easy it can be to get into an iCloud account when Honan’s digital life was erased in an instant. A hacker by the name of Phobia was able to access Honan’s Amazon account using social engineering. Once in, Phobia grabbed enough information about Honan to convince an Apple customer service representative that he was, in fact, Honan, changing his iCloud password over the phone. Once the password was changed, Phobia was in and remotely wiped Honan’s iPhone, iPad and Mac, all because Honan has a three-letter Twitter handle.

via 9to5 Mac; iPhone image via LJR.MIKE/Flickr

Do you know how many accounts you have with various websites and online services?

The answer is probably no, and that is why you — yes, you — are wide open to losing personal information.

Not knowing what data you have out there is a dangerous game. If your accounts share any common data at all, hackers who get into one of them can leverage that account to get into others. Shared passwords, shared secret answers for requesting password resets, even basic data like your address and social security number can be lurking on little-used accounts you haven’t logged into for months. Each one is a potential target.

That’s why the first step to increasing your security is to do a personal survey of all your online accounts, which at this point, you unfortunately have to do manually. Just going through your email and to see who is pushing you marketing material is a good way to get started.

If you’re like me, the number of accounts you have is far higher than you’d expect. I expected to find 20 accounts in my name; instead, I found 114.

That’s a lot of personal information I didn’t know about floating around the web. Indeed, LastPass, an online password manager, told me that the average LastPass account holds an average of 100 accounts.

“I probably have at least 150 accounts that I regularly use at least once or twice a year. I think it’s a massive problem,” said Shane Green, the chief executive officer at Personal, in an interview with VentureBeat. “We have literally infinite pieces of information about us spread out all over the Internet.”

Personal is one of Silicon Valley’s answer’s to poor account security and password management. The company offers a service to store all of your login credentials. Each credential is individually encrypted and accessible only by you — not even Personal can see your information. That means instead of 150 accounts, you only have to worry about one: Your Personal account.

The company recently released a feature called Fill-It that could help you with account organization even further. The feature lets you take encrypted information, such as your credit card and billing address, out of Personal and share it temporarily with another site, such as Amazon.com. Amazon never gets to keep that information, but instead it is able to temporarily read your Fill-It, complete the transaction, and forget everything it ever saw.

If you’re not into the big, scary encryption, however, and want something a little simpler, some simple maintenance might be the answer. Spend two or three hours tracking down all your accounts. After you’ve written them all down, separate them into categories of importance based on the information they hold.

• Highest priority: Your bank accounts and email accounts.
• High priority: Any accounts that hold credit card information is also of high importance. If you have stored your credit card on your favorite retailer’s website — or any other site — include it here.
• Medium priority: Any social media, note-taking, or content-storing apps should also be closely watched.
• The bottom rung: Those one-off daily-deals sites you’ve never used, magazines, sites that you signed up for just to enter a contest, and the like.

After you’re done sorting, then purge, baby, purge! Get rid of anything you don’t use weekly: Delete the account outright, or log into the account and delete all the personal information you don’t feel comfortable with.

If you really want to dig in deep, research what happens to your data when you close an account so you know how long your information is sitting out there.

Then come up with a password scheme: unique, difficult passwords for each site in the top tier and shared, easier passwords for the bottom tiers. You can save these passwords on websites such as LastPass if you have a lot of high priority accounts. But remember that services like LastPass and OnePassword protect all your passwords by using a password. You can also sign up for Personal’s beta.

“I do, however, think protecting all your passwords with a password [if you use a complex password] is radically better than how people do it today,” said Personal’s Green.

So, get account counting, folks. And tell us in the comments how many you find.

Created by Meghan Kelly; Original login image via Shutterstock

Jambox wireless speaker creator Jawbone is singing the blues today. It alerted users early this morning to a hack on its MyTalk network that left the actual names (not to be confused with usernames), email addresses, and encrypted passwords compromised.

The MyTalk network is where people can update their software, find and download apps for Jawbone’s device, and customize their device’s voice and language settings. Those products include Jawbone’s Jambox speakers and headsets. One customer, Dave Zatz, posted the message he received from Jawbone on Twitter. It reads, in part: ”Based on our investigation to date, we do not believe there has been any unauthorized use of login information or unauthorized access to information in your account.”

It continues to say that the password has been “disabled” and you can reset the password by visiting the user reset page and completing emailed instructions.

Of course, if you use that password on any other websites, you should change it immediately. One of the first things a cyber-criminal will do with your password is try it on other websites. And though Jawbone says that because your password was taken was encrypted and none of “the actual letters and numbers in your password” were revealed, hackers have ways to decrypt information.

As The Verge notes, however, it doesn’t seem this hack affected all Jawbone customers. According to a statement provided to the Verge, Jawbone says that the attack was “identified within hours” and subsequently blocked.

Jambox image via Jawbone

Twitter announced in a blog post today that it recently detected “unusual access patterns” — meaning it was being hacked.

The company was able to shut down one attack while it was in progress, but discovered that up to 250,000 accounts had been compromised. Hackers got away with usernames as well as session tokens and hashed passwords. As a safety measure, Twitter says it shut down those affected session tokens and has reset the hacked accounts.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” said Bob Lord, Twitter director of information security in the blog post. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information.”

Companies tend not to discuss attacks as they happen so as to not tip off the hackers or disrupt an investigation. In the wake of both The New York Times and the Wall Street Journal admitting to hacks, it seems now is not the time to keep quiet. Lord went on to say that Twitter is “helping government and federal law enforcement in their effort to find and prosecute these attackers” and further urged people to turn off Java after a number of critical vulnerabilities were found in the Oracle product.

You will likely be notified soon if you haven’t already that your account was compromised. Twitter says you will need to reset your password as you will no longer have access to your account as it stands.

Twitter did, however, choose a funny title for its blog post: “Keeping our users secure.” Marco Arment, the founder of Instapaper, poked fun at Twitter’s attempt to hedge the hack tweeting, “Calling this ‘Keeping our users secure’ is like having just your garage burn down and announcing, ‘Preventing fires.’”

Twitter image via Jolie O’Dell/VentureBeat

Identity is one of the biggest problems on the internet right now. Not only do people not know where all their accounts are across the web, they often store the passwords to those accounts in files, emails, or on paper.

Companies like Ping Identity, Okta, and others are coming out of the woodwork to try and solve this issue of identity, particularly for enterprises that often have employees signing into a number of different applications throughout the day. Those companies don’t want login credentials — the gateway to their data — just lying around. And they often want to be able to manage and shut off access to certain accounts when needed.

Passwords are now getting the brunt of the blame for weak login security. VentureBeat chatted with Ping Identity’s chief executive Andre Durand to talk about the biggest needs in identity, if the passwords needs to finally kick the bucket, and what companies can do to manage employee accounts. Durand has three steps to a more secure online identity:

1. Companies need to separate “identities” from applications
2. Companies need to get rid of passwords all together
3. Companies need to focus on and enforce their own standards, or policies

Check out the video for more:

Video via livex.tv

Today, we offer you a happy story about getting your funds locked down in PayPal. No, seriously.

According to All Things D, David Marcus, PayPal’s new president, is stepping in where his customers service fails. He sent out a personal e-mail to Build Conference creator Andy McMillan after the distraught PayPal user nearly lost $62,000 when two of his accounts were locked down. After many attempts to get on the phone with customer service, he finally consulted the Twitterverse and received a call from PayPal the next day, informing him that his funds went bye-bye and he wouldn’t get access to his account.

That’s a pretty big bummer when there are tens of thousands of dollars involved.

Marcus then stepped in with this letter:

Andy — the team will reach out between now and Monday, and they will lift all holds/limitations, and release all of your funds. If anything, please know that I’m not going to use your story to radically change how we deal with holds, and communicate with our customers. I’m driving a lot of changes at PayPal (I took over 5 months ago), and I hope that over time we will earn your turst again. Not with words, but with delightful products, and amazing service.

If you believe in this, I’d like to enroll you to help me out. I’d like you to keep accepting PayPal for payments, and now that you have a direct channel with me, give me feedback so I can get it directly from the outside. If you accept to do this (I would completely understand if by now you wouldn’t want to deal with PayPal ever again), you have my commitment that I’ll look after you account personally, and ensure this will never happen to you again. Again — would completely understand if you didn’t want to do this. I’m just trying to leverage the issues you went through to radically change our approach, and fix this for all of our customers for good.

Please confirm when you have access to your funds again so I know you’re good on that front. And again, don’t hesitate to contact me anytime. You now have my mobile number.

Have a great weekend.

David.

Sent from my iPad

I had to include that last part.

PayPal tapped Marcus to become president in March. He was previously the vice president of mobile, who released PayPal’s “Here” product, a competitor to Square. At the launch he told VentureBeat that PayPal is looking to change a lot of things, including the fact that design isn’t associated with the name PayPal.

“When you think about PayPal two years ago, the first thing you think about is not design. We want to change that,” he told VentureBeat at the time. “We want to go down to the last little pixel and make sure the UI is perfect.”

Even if this was a PR stunt — which it may not have been — Marcus obviously wants “good customer service” to be associated with his company. What president wouldn’t?

via All Things D; hat tip The Next Web; David Marcus image via Robert Scoble/Flickr

Now Barracuda, the security company, has done some research on the Twitter black market: buying and selling followers. The results don’t look pretty for Republican presidential candidate Mitt Romney, who looks to have acquired a significant number of fake followers, and security expert Gregory D. Evans, who Barracuda says probably purchased followers at least four times.

Social proof, baby. At prices of just $18 for 1000 followers, it’s cheap to look like a big deal.

But there’s big money in it for dealers, the people who create and sell fake Twitter accounts. Barracuda says they can make up to $800/day if they control as few as 20,000 fake accounts. Dealers do have to work for their pay, however: Twitter keeps finding and taking down fake accounts, so there is constant churn.

How can you tell if an account is fake? There’s no complete hard-and-fast rule, but here are some guidelines. Fake accounts usually:

• follow quite a few people, but generally fewer than 2001
• are young, having been created an average of 19 weeks ago
• have few tweets, or, if there are many, they look automated
• may not have a picture in the profile

Here’s the infographic Barracuda produced from their data:

The biggest question users have when this happens: have MY username and password been released?

A number of services can answer that. One is Should I Change My Password, which has two great features that differentiate it from some others.

One is the ability to check anonymously based on email address, which many people have as their username for online services. This is helpful, because you don’t have to enter your password into the service (which you don’t know if you can trust or not) to check if your password has, indeed, been compromised. Secondly, you can sign up to receive notifications in the future if your email address is ever involved in another hacking incident.

Simply go to Should I Change My Password, and enter your email address:

The site automatically checks you against millions of emails and passwords leaking in numerous security breaches.

If your email address is among those that have been hacked and released, this is what you’ll see. (I checked it myself with an old email address that I knew had been previously compromised.)

While investigating the breach and writing my story last night, I personally downloaded a few hundred thousand of the usernames and passwords and tried (unsuccessfully) to log into a number of Yahoo accounts.