Category Archives: Financial security

What Is a Credential Stuffing Attack and How to Protect Yourself from One

You probably heard of at least one credential stuffing attack lately, as major companies become targets of this new hacking technique. Credential stuffing is not actually new as part of hackers’ repertoire, but lately, the method started being employed more often. I’ll explain the reasons for this surge in popularity down below.

Did you notice those news stories when users are reporting their accounts being hacked, but the companies hosting those accounts insist that nothing is wrong? In all of these cases when companies seem to be unaware of the data breach, the culprit is most likely a credential stuffing attack. If hackers are mimicking the users’ identities, it’s hard for the system admins to notice the attack until it’s too late.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

Since many of you emailed us inquiring about credential stuffing, we’ve put together this protection guide on everything you need to know about these attacks and how to better secure your sensitive data.

Read below more details on this cyber attack and apply our actionable security measures that will help you avoid becoming an easy target for cybercriminals.

What Is Credential Stuffing?

In every major data breach, when hackers successfully break into the systems of a major company, they gain access to a database of user and password combinations. Some of these login credentials are then published for the entire world to see, like in the RockYou data breach of 2009, which published over 30 million records for the world to see.

Other times, these sensitive data (the credentials for logging in) are obtained not by breaking into a company’s systems, but through phishing attacks. Regardless of how exactly the data is obtained, credential stuffing refers to the hacker’s attempts of taking the accounts and passwords already exposed and trying to use them in order to login onto other websites.

The act of attempting to log in with such a large number of stolen credentials against other websites is best described as trying to stuff them everywhere, hence the name of this hacking technique.

The attackers’ premise turns out to be correct: Internet users continue to (re)use the same passwords for multiple accounts over and over, and they don’t develop strong password hygiene. This makes it easier for malicious actors to gain unauthorized access to important accounts after cracking open a less important one (like a loyalty program for yogurt or something equally nonconsequential). In the end, like in most other hacking attacks, the attackers can steal your money or your identity.

Since the last months of 2018, credential stuffing attacks made the headlines time and time again. The first months of 2019 showed no halt to the spread of these cyber threats.

On one hand, the tools which hackers need for this kind of attacks have become better and cheaper to use. On the other hand, conducting other kinds of attacks has become more labor-intensive and costly for hackers.

Examples of Major Credential Stuffing Attacks

HSBC was targeted by a major credential stuffing attack towards the end of 2018, putting the financial security of its customers at risk. DailyMotion, the video hosting giant, was forced to shut down its website temporarily in January 2019, due to a massive credential stuffing attack.

In February 2019, Dunkin Donuts was the target of a second credential stuffing attack in the course of only three months. The company was just starting to contain the damage from last autumn’s credential stuffing incident. They reported that attack in late November 2018, although the breach happened at the end of October. That’s how long it can take a security team to realize something is wrong when the hackers are using legitimate but stolen credentials.

The beginning of 2019 brought similar attacks to other major companies, too. Reddit users found themselves locked out of their accounts while hackers were stealing their data. Deliveroo customers also found themselves paying for orders they hadn’t placed, due to hackers gaining access to their accounts via credential stuffing.

Basecamp was under attack as well, seeing a dramatic spike in login attempts over the course of only a few hours. The giant advertising company Sizmek was also breached at the beginning of March 2019. A Russian hacker was selling controls to its ad campaigns via a virtual dark hat auction house. The tax information of many users was also breached on the website of software giant TurboTax.

The trend of credential stuffing attacks scaling up doesn’t seem to be slowing down anytime soon. The tools for collections of breached data have become more and more powerful, and hackers more skilled to do it. A record number of hacked credentials have been published online, hosted by the MEGA cloud service.

This so-called ‘Collection #1’, as the root folder of this data compilation is named, is believed by experts everywhere to be the most severe so far. Previous hacked credential lists such as the Anti Public Combo List or the list are modest in comparison.

Out of the 773 million accounts compromised, not all of them had the same credentials anymore, which is good news. Security researcher Troy Hunt was dismayed to find some of his own personal information in the hacked data collection, but luckily with an older password which he wasn’t using anymore. Still, most of the information in the data breach is probably still valid or can be used by hackers to infer the valid data based on it.

We can only assume that there are similar collections floating out there which haven’t been uploaded online for free yet.

How Does a Credential Stuffing Attack Work?

There are several popular tools used for credential stuffing attacks, and most of them can be downloaded free of charge. Sentry MBA, Vortex and Account Hitman are the best-known examples. Any would be hacker can set up one of these malware tools and start trying to breach into new accounts using old credentials.

If you think two-factor authentication can protect you, I’m sorry to disappoint. Sentry MBA claims to be able to bypass Captcha challenges, as well as TFAs. Intelligence data also indicates multiple instances of attacks where two-factor authentication was circumvented by attackers. Even if enabling TFA was the go-to security advice for years, the protection it brings started to get thin.

While the software to be used for credential stuffing is free, the credentials need to be downloaded for a price. Depending on how many credentials the hacker wants to use, an attempt to hack into several accounts can start for as low as $10. For the most exhaustive data package, hackers can be required to pay around $2,999. This sum is reported to give them access to over 3.8 billion credentials.

Nonetheless, there’s always the free option of using the credentials disclosed in the massive data collections discussed above. As you can see, conducting a credential stuffing attack is becoming more and more simple and affordable.

The more people reuse the same passwords, the more rewarding credential stuffing can get, which means that user behavior remains the main source of power for this kind of attacks.

graph on the costs and steps of a credential stuffing attack

Image source:

Why Is Credential Stuffing on the Rise?

In a nutshell, credential stuffing is becoming more popular among hackers because the technique is pretty straightforward and simple. As security solutions increase in complexity with top features, hacking into a system with sophisticated methods has become increasingly hard.

It’s much more cost-effective and easy for hackers to break into a system using basic methods, and relying on the weakest link: people. People are always one of the main security liabilities in any company or group. No matter how advanced your next-gen AV protection and detection solutions are if a user behaves in a risky manner, this creates a security gap which malicious third parties can quickly exploit.

In the case of credential stuffing attacks, a malicious actor can set the same passwords for multiple accounts, or even variate the characters only slightly. Weak passwords are one of the most common mistakes people do, according to the top security experts we interviewed for a past guide.

How to Protect Yourself from Credential Stuffing

We know that nowadays each of us manages multiple online accounts. Enjoying the benefits of digital existence to the full also means creating an account for so many of them. Besides your main email and social media accounts, you will be invited to create an account for the following type of service:

  • Various loyalty programs for the offline stores you shop from;
  • Online retail shops;
  • Online entertainment providers (think Netflix)
  • Data storage or compression tools;
  • Public institutions prompting you to log in before you can view reports;
  • Many online tools which require registration before you can use them.

If you think about, you probably have more accounts created and rarely visited than you thought initially. Studies show that the average home user has around 120 online accounts associated with the same email address, while the average business user handles around 191 accounts on average. Obviously, no one can remember so many different passwords by heart, in the way we should if our accounts are to be as secure as possible.

According to a survey conducted by BuzzStream, many of us would give up pizza for the sake of having to go through fewer logins. We all know the feeling, right? Well, the good news is that you don’t actually have to remember so many passwords in order to be safe from credential stuffing and other malware attacks. Here’s what can you do to better protect yourself (and your important information) from these cyber attacks:

1. Use a strong password manager

Credential stuffing attacks rely on your previously inevitable need to set the same password or similar passwords for multiple accounts. But since password managers have been around, you don’t actually need to know so many different passwords by heart.

Just pick a good option, there are plenty of reputable and even free password managers to choose from. If you want to be extra cautious, there’s also the alternative of keeping your passwords stored in two separate password managers tools. That way, if something happens with one of the solutions you were using, you have a plan B.

2. Set only strong and unique passwords for your online accounts

Resist the urge to use your go-to password, or one which holds personal significance to you. Users are many times tempted to use a so-called keepsake password, as highlighted by Prof. Ian Urbina’s research.

As much as I’m swooning for this beautiful display of humanity, as a fellow anthropologist, I have to advise you to refrain from it for cybersecurity purposes. If you care about your online security, make sure you set only strong and unique passwords that will be difficult for cybercriminals to break. Also, remember not to use default passwords, because they’re the first ones attackers will try to unlock your accounts and devices with.

3. Go through your accounts and reset all passwords

Periodically resetting your passwords is an essential part of any cybersecurity hygiene checklist. Many high-profile companies have an internal security policy making it mandatory for employees to change their passwords every 6 months. They’re also required not to use their work passwords in their personal accounts as well, but unfortunately, some of them break this rule. That’s what makes credential stuffing attacks remain a viable hacking technique.

Reset all passwords in a periodic digital clean-up. Make sure you use a different one for each account, just in case the server gets hacked. Since you’ll be using a password manager and you only need to remember one master password, just go ahead and use the random password generator for each account. This way, you can be sure you have a strong password.

4. Enable two-factor or multi-factor authentication where you can

The two-factor authentication system may not be 100% secure, but it will make it more difficult for cybercriminals to breach your digital accounts. Hackers have already come up with creative means to circumvent it. But this doesn’t mean you shouldn’t add it whenever possible since multiple layers of security are still better than less. Multi-factor authentication is always better, so opt for it when you can to enhance security.

5. Make sure your threat prevention and detection are also flawless

We don’t need to stress how important is to have multiple layers of security on all your devices which connect to the Internet. You need both an antivirus solution and a shield on top of it, like our Thor Vigilance and Foresight security products. Find them both in the Thor Premium package, the all-in-one and complete online solution for home uses.

We urge our users to always keep their apps and programs up to date, because these updates include both security and feature patches, and will improve the software programs used. An automatic software updated (like our Thor Free) is also highly recommendable to improve your security.

6. Don’t connect to public Wi-Fi networks and be cautious

Public Wi-fi networks are one of the biggest security risks for your system. If you use them to login onto any account, you can be almost sure your credentials will wind up on a data collection sooner or later. If you absolutely need to connect to one, always use a VPN solution and reroute your traffic through it.

I got in touch with other cybersecurity experts and they all concur about these basic steps for protection. Here’s how Sergiu Gatlan from Bleeping Computer summarized it:

The most important measure users can take to protect themselves against credential stuffing attacks is to turn on two-factor authentication (2FA) or multi-factor authentication (MFA) on all services that support it.

Making sure that they never use the same password on more than one online service is another important action to take if they want to prevent malicious actors from being able to use stolen credentials in future attacks.

Subscribing to notification services such as Troy Hunt’s to be informed when one of their accounts is part of a security breach could also help by allowing them to quickly change compromised passwords as a precaution.”

To go the extra mile and make sure your password is secure, read our password security guide and learn how to manage your passwords like a pro. Still, as long as you follow the steps we highlighted above, you’ll be safer from credential stuffing attacks than you ever were.

We’ll keep you updated on the state of ongoing attacks, so feel free to email us for any questions or concerns you might have. We’re here to help.

The post What Is a Credential Stuffing Attack and How to Protect Yourself from One appeared first on Heimdal Security Blog.

Why You Need IT and Cybersecurity Training: Hidden Dangers

The world wide web opened up myriads of possibilities once its use became mainstream, and the Internet surpassed all the possibilities envisioned for it at first. The problem is that people’s levels of IT and cybersecurity training started lagging behind in the wake of this explosive development.

More than just a way to communicate, the Internet gradually and radically reshaped the way we learn, shop, express our opinions, the way we work or change employment, or how we meet new partners and friends.

There is now no way to elude the profound effects of this new connectivity in society, or its grasp on our daily lives, especially for the younger among us. But for all the good it has brought us, the internet also opened up the possibility of new threats.

Its volatile nature allowed the malicious actors to get away with your money or your data easier, and they are less likely to get caught compared to physical world thieves. Of course, anti-malware protection evolves together with the threats, but sometimes attacks still spill through the cracks, especially when the user is not tech-savvy. This is why everyone needs IT and cybersecurity training.

A. The Dangers of the Internet: Why You Need Cybersecurity Training

Here are just a few of the ways in which malicious third parties can get hold of your data over the internet. You’re probably already familiar with some of them, while others may still be news.

1. Your bank card(s) may get hacked

First and foremost, this is the number one goal of most hacking attacks and malware infections, since the people behind them can effectively steal your money like this. Once a hacking scheme is designed, they can attempt to obtain your financial data in any number of ways (through phishing, or keylogging and so on).

2. Your sensitive information may get stolen

Even if they don’t get to hack into your bank accounts or virtual money (electronic wallet) deposits right away, malware attacks can attempt to steal your account credentials for later use. After the malicious intent software obtains your sensitive info (like username and passwords for various accounts), you can find yourself locked out of your account or, even worse, you may not notice that something is wrong. This way, the hackers can keep an eye on your activity for a while and gather more data.

3. Data about your preferences may be stolen for ransom or third parties

Even if the attack doesn’t obtain access to your email or bank accounts, how would you feel about your activity online being monitored and registered every step of the way? Some malware programs are designed simply for harnessing this data. Then, the hackers can use it in a ransom attempt or sell it to third parties.

4. You may get locked out of your device for ransom

These ransom attempts can sometimes get extreme. You may not be able to access your computer and instead, you’ll just see a message with a countdown clock. You have until the time runs out to pay a large sum of money to a particular bank account, or else the hackers delete all your data. There are tools to unlock your data from ransomware without giving in to the blackmail, but even so, you wouldn’t want to go through the hassle of trying to recover it.

5. Your device may get used as a hub for infecting others

Some viruses simply set up a shadow IT hub in order to run operations from your computer without your knowledge. This way your device can become a hub for their malicious operations without your knowledge, and you will become an unwitting part of the hacking chain. There are millions of otherwise legitimate websites delivering malware without being aware of it.

6. Your kids may get tricked into revealing sensitive info

Some potential thieves or wrong-doers may not even need sophisticated methods of getting their hands on sensitive info. Young children who are not yet savvy about the dangers of the internet, or can’t comprehend them yet, can also provide information they shouldn’t over the internet. This is why you should take extra steps for keeping your kids safe on the internet, and why everyone needs IT and cybersecurity training, be they young or old.

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

7. You may be spied on

Some hacking attempts can even gain access to your computer’s camera or microphone, spying on you even further. In this extreme possibility, it won’t be just about your browsing history, conversations or interests anymore, but also about things which happen in your home.

We don’t mean to incite unjustified fear; all of these risks above are not very likely to happen nowadays as long as you have a reliable anti-virus and shield solution active, or not in their most extreme forms. Almost every computer benefits from some level of protection today, even if it’s just the built-in protection. Still, as malware becomes more and more sophisticated, there’s no such thing as 100% safe.

How about if I stay offline?

Of course, it’s not only about the internet. Risks can arise for your computer’s safety and the safety of all data stored on it even when not connected. You can contract a maliciously infected program or file while browsing online. Initially, you won’t notice it, but it will activate later, even if you’re not on the internet anymore.

You can also infect your computer even if you never connect it to the internet, just by plugging in some devices to it. Some culprits are USB sticks or other physical memory devices, or even your phone or camera for file transfers.

Also, it’s not only about your computer: your other devices are not safe from hacking attempts, either. Smartphones, for example, are very likely targets of cyber attacks, since they hold the keys to financial data, regardless of whether you shop from them or not.

Staying permanently offline is no safety guarantee, and it’s not really feasible anyway. A solid base of IT and cybersecurity training and awareness, coupled with a strong protection solution, is the only way to stay safe.

Instead of cutting yourself off from the benefits of the world wide web, you should educate yourself on how IT and cybersecurity work. The likeliest culprits often change appearance in the cat and mouse game that takes place between the good guys and the bad guys online. Beyond having good protection for your devices, staying up to date on possible threats is the best way to defend yourself.

What Can You Expect to Learn from IT and Cybersecurity Training?

Even the most tech-savvy among us should strive to keep up to date on security threats since the landscape of the internet is changing rapidly. But if you wouldn’t necessarily think of yourself as tech-savvy, then you need IT and cybersecurity training even more. Everyone can benefit from this, even if only to refresh their memory or spike up their awareness.

B. What does IT and cybersecurity training teach?

Here are just a few areas you can expect to be more knowledgeable about after you finish a full cybersecurity workshop.

·         How do cyberthreats work and how do hackers get in your system?

·         The main types of cyber threats, and especially the ones who require human contact

·         How to set safe passwords and how to keep them safe (including periodic changing)

·         Learning to identify phishing attacks and block them

·         How to tell if a website is secure

·         Protecting yourself against malicious downloads

·         What to do if you get targeted by a cyber attack?

Whether you work in a company and you’re considering getting a cybersecurity training for your team, or you’re just looking to prepare yourself better, this type of training is mandatory today.

Oftentimes, software protection is not enough. It’s actually the user behavior that makes all the difference between getting hacked and staying protected. There are even more and more sophisticated ways of using machine learning in order to predict user behavior, and it’s used by both the good guys and bad guys. Stay safe by staying up to speed.

Learning more about cybersecurity is not rocket science, anyone can do it.

Do you feel ready? You should get ready because hackers will exploit any knowledge gap or vulnerability they can.

Resources to read for IT and cybersecurity training

You can start by reading these essential educational resources we’ve prepared for you about how to better protect yourself.

·         Today You’re Being Hacked – How to Choose Security Settings

·         13+ Warning Signs that Your Computer is Malware-Infected

·         The Best Free Security and Privacy Tools in 2019

·         The Essential Security Tips to Stay Safe on Social Media

·         The Best Security Podcasts in 2019

·         The Best Cybersecurity Books to Read

·         Why Malware as a Business is on the Rise

·         How to Start Taking Control of Your Data – Essential Privacy Tools

·         The Ultimate List of 50 Free Security Tools, Tested for You

Do you feel ready to take your IT and cybersecurity training even further? Here are more key online resources (completely free or charge) to educate yourself on how to stay safe online.

·         Our Cybersecurity Course for Beginners

·         Our Cybersecurity Course for Small Business Owners

·         The Daily Security Tip (which we deliver to your inbox)

·         Our Cybersecurity Glossary (Browse over 300 terms and additional resources)

The post Why You Need IT and Cybersecurity Training: Hidden Dangers appeared first on Heimdal Security Blog.

Best free security and privacy tools in 2019

Is security and privacy your priority this year?

We created this list of free security and privacy tools, all of them up-to-date with 2019 challenges. Use the links below to quickly navigate this guide and find the best security tool to add to your arsenal.

  1. Browsers: Firefox, Brave Browser, Tor, Netcraft anti-phishing toolbar
  2. Password managers: LastPass, KeePass, Password Safe, Bitwarden
  3. Adblockers and no tracking: uBlock Origin, NoScript, XPrivacyLua, DuckDuckGo, Startpage
  4. Private communications: HTTPS Everywhere, Email Privacy Tester, Wire App, ProtonMail
  5. Great PC security: Bleachbit, VeraCrypt, Eraser, Thor Free, Geek Uninstaller, TailsOS
  6. Smart home security: ShieldsUp, F-Secure Router Checker, Netcraft, Firefox Privacy Not Included
  7. Smartphone security and privacy: LineageOS, Signal app, Site Safety Center
  8. Tools to download your personal data

Considering the events of 2018 and the inherent risks of living in a hyper-connected, surveillance-heavy world, we know you’re probably wondering where to start with online security and privacy. Or maybe you’re looking to find more free security and privacy tools to add to your existing arsenal.

For each quick security tip we also included a more advanced option, so you can make positive changes that best fit your digital habits and level of technical know-how.

Secure and private web browsing

When it comes to security, Chrome is one of the most secure browsers in town, as it benefits from all the resources of the giant Google. However, on the privacy front, this is definitely the worst option, so here are three alternatives:

Firefox Browser

No doubt about it, Firefox is the best browser if you want the same amount of extensions and control that Chrome offers. By switching to Firefox you won’t be losing any features but you’ll be relying on a browser developed by the Mozilla Foundation, a company that has long championed for users’ privacy rights.

Recently, the great HaveIBeenPwned tool was embedded into the Firefox Monitor – simply input your email address and you can see if it was involved in a data breach.

With the reports feature, you can also get alerted if your accounts were compromised.

Brave Browser

Another option is the Brave Browser, which runs on Chromium and can handle most Chrome extensions. What’s the main selling point?

The Brave Browser acknowledges that publishers need advertising revenue to function and that users are kind of sick of seeing so many ads. To solve both issues, Brave lets users choose which ads they don’t mind and rewards their attention with the BAT token, their own cryptocurrency.

This is a system that’s in early stages but shows a lot of potentials, so we included it on this list.


For the best security and privacy in 2019, Tor (The Onion Router) is still king, protecting your location and personal data. Essentially, Tor routes your internet traffic to a lot of tunnels, so that you cannot be tracked. Used by the military and law enforcement agencies worldwide, Tor is the choice for maximum privacy as long as it’s used for browsing only (anonymity takes a hit for torrenting or streaming sites).

However, it’s worth noting that, due to its traffic redirection, browsing the web through Tor is much slower than with regular browsers. You should also take into account the fact that, because of its ties to law enforcement, Tor does not guarantee bulletproof privacy.

Netcraft anti-phishing toolbar

One thing is for sure: it’s hard to find a free anti-phishing solution that can provide you with a modicum of protection. The reason for this is simple: phishing is one of the most common attack methods hackers employ and security companies have to invest a lot of resources into keeping one step ahead of the threats. We should know, as our own Thor Foresight Home is designed to tackle this particular issue.

However, we know that not everyone can afford to buy a specialized security solution, so we strive to find the best free ones. Out of everything we looked at, the Netcraft anti-phishing toolbar worked best. Not only it shows overall trust levels in a website, it even warns of websites with SSL certificates that have been compromised by the Heartbleed vulnerabilities.

This is how it works:

“The Netcraft anti-phishing community is effectively a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. Once the first recipients of a phishing mail have reported the target URL, it is blocked for community members as they subsequently access the URL.”

Found a great AND free anti #phishing tool and a list of free security and privacy tools
Click To Tweet

Getting strong passwords and protecting your accounts

All experts agree that choosing strong passwords that are unique for each account is an essential security measure. However, we do know how complicated that is, so password managers are a great option.

Here’s what we recommend for maximum security with the least amount of effort.


We’ve been LastPass customers for years simply because it works so great. It salts and hashes the passwords, lets you generate strong passwords with a simple click and works across devices.

The security tradeoff here is the fact that you are handing over access to all of your accounts to a single service. In theory, if it gets hacked, you run the risk of compromising them all. However, if you pair LastPass with 2-factor authentication for every account that allows it, there’s a slim chance a hacker could get into an account.

For those who really want the most secure password manager, these three solutions require a bit more technical knowledge but are as bulletproof as they come.

Reviewing what social media and Internet giants know about you

We get asked a lot what type of information social media platforms and Google have on you and why it matters. We could go over all the risks but the best way for people to understand the scope of the problem is by experiencing the data collection themselves. Why not see exactly what various websites know about you and what they do with that information?

Tools to download your personal data

Before we give you privacy and security tips for social media and trackers, here are the links to download your data and review it:

Download your data from Facebook

Go to your Settings, navigate to the bottom of the General tab and choose “Download a copy of your Facebook data”. You can choose which information you want to receive and, after waiting for the data to be compiled, you will receive a download link.

Download your data from Google

Visit your Google Account and click Data & personalization, then on the Download, delete or make a plan for your data panel, choose “Download your data”. The process is similar to Facebook’s and it can take a few hours for your personal information to be compiled (expect large archives).

Download your data from Instagram

To get your Instagram data on the web, go to your profile and click the gear icon, then choose Privacy & Security and scroll until you find Data download. After you enter your email address and Instagram password, you’ll get an email with a link to download your information. The process is almost identical on mobile.

Download your data from Linkedin

On Linkedin, you will find the download your data option by clicking your profile picture and selecting Settings & Privacy. Then, in Settings & Privacy, you’ll find a tab called “How Linkedin uses your data”, where you can select which information you want to archive and download.

Download your data from Snapchat

You can only download your Snapchat data on a computer, not in the mobile app. to do so, visit your Snapchat account at and click My Data, then choose “Submit Request”. You’ll receive an email containing a link with your data.


Hiding from various trackers and stopping ads

uBlock Origin

There are other great tools like PrivacyBadger but uBlock Origin is the best adblocker we tested so far. It has incredibly granular controls and a nifty “Element blocker” which lets you zap any part of a website you dislike.

Its tracker-blocking features are so strong it can even let you block the most common-place script, Google Analytics, from gathering information about you.


Another great option for stopping web tracking is Disconnect, an extension or downloadable software that, just like uBlock Origin, lets you see exactly what’s happening when you browse.

It conveniently separates social media trackers and e-commerce once, so you can choose which services you’re comfortable with getting access to your data. The Disconnect is available as a “pay what you want” subscription and even lets you how much of your contribution goes to the developers or to charity.


For true control over tracking NoScript is unparalleled. This little plugin disables Javascript and, with it, most trackers, and can also be found embedded in the Tor Browser. However, NoScript can also break most modern websites, so this tool should only be used by those extremely concerned about privacy. For a reasonable amount of privacy, uBlock Origin is more than enough.


If you don’t want your search results information going to Google or want unfiltered information not based on your history, DuckDuckGo is the best search engine.

DuckDuckGo uses Google’s search results, so you can expect the same quality of results, but doesn’t track you or your search history. It’s also amazing for quickly searching other websites by adding so-called “bangs” before your query.


If DuckDuckGo’s search results don’t work for you, try, a search engine that used to be the default choice in the Tor Browser.

What makes it different from both DuckDuckGo and Google is the fact that it shows results from multiple search engines. It also lets you do an Anonymous View on the websites you click from search results, stopping cookies from being downloaded on your device. Trust us, getting search results with no ads is an amazing experience in this day and age.


Nowadays, it’s almost impossible to stop app trackers on an Android smartphone but XPrivacyLua does a good job.

Too many things to keep track off when trying to keep trackers off your back? This awesome tool takes the complete opposite approach for protecting your privacy. Instead of stopping trackers, it feeds them junk data to throw them off your trail.

You probably tried to disable location access for some apps and saw a dire warning that the apps in question might crash. XPrivacyLua lets you go around that issue. Instead of disabling permissions for apps and risking their crash, it feeds them fake data. XPrivacyLua works with Android 6.0 and higher version.

Essentially, you get privacy through obfuscation, not by traditional hiding.

Keeping your communications private

HTTPS Everywhere

To prevent snooping and data theft, encryption is essential. Unfortunately, there are still a lot of websites that do not feature secure connections, so this extension is a must-have. HTTPS Everywhere handles all HTTP websites and encrypts your connection with them and their adjacent websites. Even though it consumes a bit of memory, it’s a great extension to simply leave on and ensure a boost of security. Oh, and it’s also on mobile!

Email privacy tester

One of the ways online criminals and spammers snoop on users is by email tracking. To see exactly what type of info can be obtained by this, Email Privacy Tester is an incredible tool that can give you a report in just a few minutes.

“Several of these third-party email tracking technologies will try to share and correlate your email address across different emails that you open, and even across different websites that you visit, further shaping your invisible online profile. And since people often access their email from different devices, email address leaks allow trackers (and often network observers) to correlate your identity across devices.”

As EFF explained, email tracking is a pervasive problem, so consider running a test and use HTTPS Everywhere for added security.


On the desktop, the best chat app with end-to-end encryption we found is Wire.

This is a great tool for work environments with flexible pricing. For yourself and friends, Wire Personal is completely free and offers full encryption for messages, calls, and files of up to 25 MB in size, which is great for sending photos.

You don’t even need a phone number to sign up! The latest update also brought read receipts, so Wire has most functionalities you’d expect from a chat app.


The choice of security and privacy advocates around the world, ProtonMail was developed by CERN researchers with end-to-end encryption in mind.

Even though the interface is not as intuitive as other email services, ProtonMail has the added benefit of being available on PCs and smartphones through dedicated iOS and Android apps. The best part? You can get a ProtonMail account without giving up any personal info and the company keeps no IP logs.

Tails OS

If you feel ready to start distancing yourself from Windows or macOS, Tails OS is a great, privacy-oriented operating system that’s really easy to use for those familiar with Linux.

Short for “The Amnesiac Incognito Live System”, Tails can be kept on a USB or a DVD and booted live. Because it boots live and leaves no digital footprint in the computer, it’s meant to be used on the go, not as a day-to-day main choice. This Reddit user described one of the best privacy setups with the least steps involved.

Smart home security


Smart home security and IoT security for users, in general, boils down to two things: how secure your router is and how strong your password is.

Don’t get scared by this site’s antiquated design because ShieldsUP is still a valuable tool. Use it to check the open ports on your router.

F-Secure Router Checker

The F-Secure Router Checker is also a great choice to find out if your router was DNS hijacked and if there are vulnerabilities in your setup.

As F-Secure explains, “a DNS hijack means that someone has intentionally modified the settings on your router without your consent”. This has the potential to let an attacker monitor and control your Internet traffic, sending you to fake versions of websites you generally use in order to steal your highly sensitive credentials.

Privacy Not Included

Want to know the best way to prevent smart home security issues? Doing a bit of research before buying an IoT device and considering its security and privacy rating, not just its features and price. One of the best places you can do this is through Mozilla’s Privacy Not Included, a 2018 holiday shopping guide that shows you the flaws in most popular devices.

Smartphone security and privacy

Signal app mobile

Looking for the best end-to-end encryption chat app? Look no further than Signal, a lightweight yet powerful app that uses the Signal Protocol.

It even features disappearing messages for added security. That’s a cryptographic protocol built by a nonprofit group and adopted by other chat apps like WhatsApp or Facebook Messenger.
What separates Signal from them is the fact that you don’t have to enable Secret Conversation to get encrypted chat, it’s on by default.

And, unlike direct competitors like Telegram, it hasn’t been pressured by interest groups to give up user data. Best of all, this encrypted chat app does not feature advertising, so you get is a truly clean chatting experience.

The Netcraft extension is a great way to minimize the risk of getting phished. This handy tool gives you a quick integrity check of a website, showing you its age, popularity and encryption status. It also includes a quick button letting you report possible phishing attempts.

LineageOS private OS for mobile

Want more privacy and better security than what Android offers? Look no further than LineageOS, a free, open-source operating system for mobile that actually receives monthly security updates.

Even though it does not have the same amount of apps as mainstream OSes, LineageOS does eliminate bloatware shipping with modern phones. It also has a host of essential open-source apps like messaging, recording, a file manager and a proprietary web browser.

Check out this guide written by Android experts if you want to install LineageOS.

Site safety center

Unfortunately, phishing remains one of the top threats. On the desktop, solutions like Thor Foresight can make sure that, even if you click a suspicious link, your data won’t be stolen.

On mobile, few apps provide this, which means phishing flourishes in this environment. If you receive a suspicious link in a WhatsApp message but still want to open it, it’s best if you do a quick check on Trend Micro’s Site Safety Center. As its name indicates, the Site Safety Center will check a suspicious URL for you and show you if you have cause for concern.


Great PC security tools


Do you have a lot of sensitive files on your hard drive or invest in things like cryptocurrencies? For this scenario, keeping your data safe demands you encrypt and hide it, especially on a shared computer.

The best tool for this is Veracrypt, which lets you create hidden, encrypted and password protected volumes to keep your data safe from prying eyes.

It’s free, open-source software that’s easy to use and very well documented.


Bleachbit helps your Antivirus perform. It’s a utility tool like CCleaner but the crucial difference is that it’s totally free and open source. Bleachbit also includes file shredding and Firefox cleanup.

As an added bonus, because you quickly clean unwanted temporary files, logs or browsing histories, your Antivirus will have a much easier time of scanning your PC (shorter scans = even less of an impact on the performance of your computer).


If you want to erase your personal files from a work computer or an old hard drive and want to make sure those files are truly deleted, Eraser is the best free security tool we’ve tried so far. To account for the fact that data can still be recovered from a disk even after a delete, Eraser overwrites that data several times and effectively jumbles it before deletion.


One of the most common vulnerabilities targeted by hackers is unused and outdated software. A good uninstaller that can even handle broken files or pesky software is GeekUninstaller.

Thor Free

For monitoring your computer apps and securely deploying updates as soon as they’re available, our own Thor Free does a great job. You can also install the most commonly used software from its interface, without having to find download pages through search engines (and risk landing on a malicious page!)

These are our suggestions for enhancing your security and privacy this year but we plan on updating this page with even more free resources.
Do you know a great free security tool or have a great privacy tip? Drop us a line below and share it with the community!

Thor Foresight makes sure that link is safe!
Your parents and friends will click any suspicious link, so make sure they're protected.
Thor Foresight Home anti malware and ransomware protection heimdal security
Thor Foresight provides: Automatic and silent software updates Smart protection against malware Compatibility with any traditional antivirus.


Get Thor Foresight

The post Best free security and privacy tools in 2019 appeared first on Heimdal Security Blog.