With the unveiling of two more "mega breaches" this morning, the headlines and news cycles are clamoring for continued updates. The more serious of the two involved the breach at MySpace with 427 million email addresses and linked passwords stolen. The other involved 65 million unique emails and passwords stolen from the popular site, Tumblr. Two more social media sites hit less than two weeks after the announcement that over 160 million compromised LinkedIn accounts had been put up for sale.
As a user of any of these sites, you must check to see if you are among the hacked at the Have I Been Pwned site (https://haveibeenpwned.com/). That was the first thing I did, and I am happy to report "Good news, no pwnage found" on me. You might also want to request to be notified if your credentials do end up for sale in the black market or on Pastebin or in some other unknown trenches of the Internet (and a huge shout out to Troy Hunt for all he is doing in maintaining the site for consumers). At the rate of these announcements, it is safe to assume this is just the beginning of the leaked data that will start to be reported over the next couple of months.
So what is really happening? First, these breaches are not new. It is reported that they are being dated back to as early as 2011. What have hackers been doing with this data during that time? With the occurrence of password reuse on multiple websites, it is likely these same credentials have been tried across the site of every major consumer brand in the last three to five years.
Second, what does this say about security defenses? Is it for real that organizations are only uncovering the actual scale of these breaches when hackers post the full data dumps for sale? These breach reports ought to serve as a wake-up call to every social networking, e-commerce, banking or any other major consumer-facing website out there to re-evaluate their web defenses. Even though you might not have been breached, you are still a target as a majority of consumers do not practice good personal security hygiene. Your website has been or will be subject to password guessing attacks.
Next, what does this say about passwords and the value of stolen data? Let's do the math. The MySpace data had an asking price of $2,800 which equates to 152,500 stolen credentials for $1. That is nearly three times more expensive than what was being asked for the Tumblr data, a mere $150, which equates to roughly 430,000 credentials for $1. Discussions around the commoditization of stolen credit cards in the black market has regularly set their value as low as 50 cents. Today, a cybercriminal in the business of selling them, at even pennies for a single unit, is yielding far greater profits than ever before with the flood of stolen emails and passwords now up for sale.
I want to know what organizations have done to upgrade their security practices since 2011 - 2013 when most of these recent breaches are reported to have happened. And I am talking way beyond encryption, hashing and salting. Let's look at user authentication as just one example. Are they now considering multifactor authentication? Or for organizations that have MFA in place, will these breaches now make it forced rather than optional for users? Most financial institutions have been requiring multifactor authentication for over a decade, and it has proven time and again to enhance user experience and increase transaction volumes. Why are retailers, social media providers, gaming sites and other large consumer organizations not following suit?
With Vegas placing betting odds on so many events, including the upcoming U.S. presidential election, I only wonder if the announcement of data breach odds will be next.
Author: Heidi Bleau
Category: RSA Fundamentals, Blog Post
Keywords: Authentication, Consumer Security, Cybercrime, Cybercrime and Fraud, Passwords