There’s a famous saying about how the definition of insanity is doing the same thing over and over and expecting different results. Nothing could be truer about the world’s relationship with passwords, and it’s a reality that should hit the security world even harder.
After all, as we recently learned, the Target hack affecting at least 110 million people began with a stolen username and password. Passwords have gotten lots of play in the news, especially in the security realm, but the bigger problem is in making passwords obsolete for hackers – especially for organizations with valuable data in store. A deeper level of authentication is now essential for a secure business.
The most recent cache holding 360 million “stolen and abused” usernames and passwords was found for sale on the black market and appear to come from several different breaches. 105 million email addresses and passwords was taken in a batch, it appeared, though it is as yet unclear what site the credentials were meant for. The trove also included some 1.25 billion email addresses – a pot of gold for any spammer.
Hold Security, the firm that helped uncover the enormous Adobe breach last October and the Cupid Media breach a month later, reported this latest breach on Tuesday. The blog noted that the “sheer amount of data” might be telling of hackers adopting new, more effective tactics. The firm had just weeks before uncovered a separate cache of 300 million abused credentials from breaches that were never publicly disclosed.
As Hold Security’s blog post reiterates, user credentials are one of the most valuable assets a malicious attacker could get their hands on. A cybersecurity specialist told Reuter’s about the breach that “hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.” Especially when those accounts are owned by major enterprises.
There are numerous approaches hackers use to try and gain user login details, from the myriad social engineering methods, keylogging, a host of malware types, to hacking into user databases on public sites (especially social media and e-commerce sites). Considering that companies from nearly all Fortune 500 companies had emails represented in the cache, there is no doubt that the companies were targeted in at least some of the attacks represented in their findings.
One type of cyberattack stolen credentials have been used more regularly is in hacktivism, like what the Syrian Electronic Army has spent the last year doing to major media corporations. And while those attacks can cause reputational damage and possibly hurt business, they certainly aren’t the worst that can happen. For the vast majority of attackers, there’s some financial motivation in their attacks, and as hacking methods have advanced, the rewards have increased as well. The risks for the hackers? Not so much.
Anyone can be fooled. Relying on educating your employees isn’t enough when the most sophisticated employees get manipulated, and two step authentication isn’t even always enough anymore, with phishing scams that now mimic the second ‘step’ being found in the wild. When you consider it only takes one person to compromise an entire enterprise, you could, as a security officer, be doing everything right, but the second an employee gets tricked into releasing their elevated access password to a malicious party, it could be game over.
A few groups, like the FIDO Alliance, have sprung up as of late, dedicated to pursuing new ways of online authentication and it’s only a matter of time until they’re ready to be implemented. The solution is still being worked out, but we know one truth all too well: Passwords, and our reliance on them, must die.
Read more about Hold Security’s discovery here.