Hackers Are Passing Around a Megaleak of 2.2 Billion Records
The so-called Collections #1–5 represent a gargantuan, patched-together Frankenstein of rotting personal data.
According to Terry Ray, senior vice president and Imperva fellow:
The emails and associated passwords were, unfortunately, made readily available to cybercriminals, who can now wreak havoc on the daily lives of the victims. This collection of credentials gives cybercriminals the ammo needed to attempt credential stuffing, password guessing and other iterative processes at account takeover, which is essentially giving cyber attackers a key to your front door. Armed with the recent and past credentials, hackers could access consumers data, troll social media platforms to spread propaganda, cash in on hard earn airline miles, sell contact data for spammers and even access bank accounts. To make matters worse, if consumers reused passwords at work, hackers would breaking into enterprise infrastructures to steal corporate data costing businesses millions in damages if that data were to get into the wrong hands.
This is why it is critical that consumers never reuse passwords across different accounts they hold, but also change these passwords consistently and set up dual factor authentication to better protect themselves. If you have taken these precautionary steps, it is unlikely that cybercriminals will successfully break into your accounts. If anything, they might temporarily lock you out as a result of attempting to brute force themselves into accounts. If your online services offer account change notifications and two factor authentication I suggest you use these to further inform you of unusual account activity and make taking over your account more difficult.
Unfortunately, data breaches are far too common these days and consumers are becoming more desensitized to breaches—and at this point, who hasn’t been affected by a data breach? Organizations that want to collect data on individuals must accept the responsibility for protecting that data. Too often, private information is collected, yet the collecting organization doesn’t monitor who has access to the data, when the data is viewed, or whether the data has been stolen. It’s not until an event like this where an individual finds the data on the web and works to piece the original source together.
Businesses should be extra vigilant over the next few weeks as these credentials make their rounds through the dark channels. Post credential leak account takeover attempts have historically spiked immediately following incidents like this. Successful logins using these credentials are difficult to identify, though technology does exist assist IT Security teams. Most teams assume that they won’t be able to prevent every attempt and instead focus their security around their most critical data assets, by monitoring all activity to those resources and flagging or preventing unusual access internally. These changes the threat from one of identifying the wrong person using the right credentials, to a threat of the right credential doing very unusual things which is easier to detect and differentiate from previous modeled behavior.
According to Tom Garrubba, Sr. Director, Shared Assessments:
This is indeed a massive amount of records, and we don’t know all of the sources of these breached records, the importance of a healthy third party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever. All data connection points need to be understood, reviewed, assessed, and continuously monitored in alignment with the outsourcing organization’s risk posture to ensure that both the they as the outsourcer and their full network of service providers and other third parties with whom they share data are all fulfilling their security and privacy expectations laid out in their contracts.
According to Frederik Mennes, Senior Manager Market & Security Strategy, Security Competence Center, OneSpan:
2.2 billion records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible.
MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.
Technology is evolving. Next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology ensures the precise level of security for each level of interaction with the best possible experience for the user. Adaptive authentication utilizes AI and machine learning to score vast amounts of data. Based on patterns, it analyses the risk of a situation and adapts the security and required authentication accordingly.
Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.