(Credit: Rawpixel.com/Shutterstock)

The past few years have taught us a lot about online security. Junky re-used passwords are going extinct in favor of password managers, and two-factor authentication is adding an additional layer of security to protect your banking, shopping, email, and more. But sometimes the things that protect us can be targeted themselves.

SEE: How to beef up your Chrome and Firefox security in 2018

Today, the company behind the AdGuard ad blocker announced that an unknown group of hackers recently attempted to breach its security systems, using a list of passwords and usernames from elsewhere that it apparently hoped would work here. (Given how often people keep using the same passwords for all their accounts, and given how such passwords tend to be easy to crack, it's not a crazy strategy.)

These lists of passwords and usernames come from other hacks, like those inflicted on Yahoo, Adobe, and other places, after which they're bundled into a single downloadable file that floats around on the often sketchy part of the Internet known as the "dark web." This is why users are often urged after a breach to not only change their password but to never use that specific one again.

AdGuard felt compelled to go one step further and reset all of its account passwords. Co-founder and CTO Andrey Meshkov said that their rate limiter (a filter that determines how many times a password entry can be attempted in a given period of time) wasn't enough because of the hackers' password database: "[R]ate limiting is not enough when attacker already knows what password to use. Unfortunately, this seems to be the case. The pairs of email/password used by intruders belong to known databases of leaked accounts."

You might ask yourself, "Why does an ad blocker need a password, or an account?" It turns out that the browser extension for AdGuard is one of several forms that the ad blocker comes in. The company's pride and joy appears to be AdGuard for Windows, which is a desktop app that blocks ads at the system level. It charges a monthly fee to use the blocker, or you buy a lifetime license. Then AdGuard uses an account login system as a form of DRM.

If an unauthorized person gains access to this system, then they could get access to your payment info, if you've told AdGuard to store that information. Customers can pay via wire transfer, PayPal, or by giving AdGuard your credit card details. It's this last option that would be a target for thieves, since PayPal has its own separate security system that makes it harder to crack.

In the wake of this hack, in addition to resetting all account passwords, AdGuard also now has stricter requirements for password quality. The company has also integrated the services of HaveIBeenPwned to check if the password you've chosen has already shown up in a previous hack elsewhere on the Internet.

Meshkov adds, "After this accident, we strongly considered introducing the two-factor authentication. We physically can't implement it in one day, but this will be our next step, and we will let you know about it as soon as it's done."

With two-factor authentication (2FA), you use a temporary one-time code that you enter after you've entered your password. Ideally, this code comes from an app rather than via an SMS text message. App-based 2FA is highly preferable because the codes are generated on your device, rather than being sent to you. Codes that are sent can be intercepted, or simply fail to arrive due to cell network issues.

FOLLOW Download.com on Twitter for all the latest app news.

What should AdGuard users do?

If you are an AdGuard user, all you should need to do is create a new password, albeit one preferably generated and stored in a password manager such as Bitwarden (Android, iOS, Windows, Mac) or LastPass (Android, iOS, Chrome, Firefox). This tool, in the form of a browser extension or an app, can create long passwords that are very difficult to crack, and the only password you need to remember is the one for the manager itself.

When you come upon a login screen for which you have a stored password, you can tell the extension or app to paste yours right in.

We'd also recommend taking advantage of two-factor authentication as soon as AdGuard implements it. If you have given AdGuard your payment info, we'd also recommend switching to using PayPal, if possible -- assuming that you're using strong passwords and 2FA for PayPal as well. Unfortunately, PayPal still does not employ app-based 2FA, but it's better than nothing.

The takeaways

  • AdGuard has reset all account passwords for its ad blocking service, in the wake of a hack attempt.
  • The company has also increased the requirements for new passwords, and it may be implementing two-factor authentication in the near future.
  • Customers are encouraged to use a password manager like Bitwarden or LastPas to create strong passwords and store them safely.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.