Just a few weeks ago, Troy Hunter shared his discovery of Collection #1 with the world. Collection #1, a folder containing 773 million leaked emails and 21 million leaked passwords, floated about the Dark Web and hacker forums for an unknown amount of time before its discovery; cybersecurity experts called it the largest dump of stolen accounts in history.
Unfortunately, we should have known it could get worse. Collection #1 pales in comparison to what Wired just discovered: Collections #2-5.
Collections #2-5, much like #Collection 1, contain stolen records. Specifically, Collections #2-5 contain 25 billion stolen records; after removing duplicates, the folders still hold 2.2 billion usernames and passwords. The sheer scale of this data breach alone sends shudders in the hearts of cybersecurity observers everywhere.
Moreover, Collections #2-5 floated the Dark Web for some time before discovery. In the Wired article, Chris Rouland of Phosphorus.io notes over 1,000 downloads of the collections on torrent sites.
What can you do about Collections #2-5? How can your enterprise defend itself against such a monumental blow to users’ data? We spoke with identity management experts to find out:
Tom Garrubba, Sr. Director, Shared Assessments:
“This is indeed a massive amount of records, and we don’t know all of the sources of these breached records. The importance of a healthy third-party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever.”
“All data connection points need to be understood, reviewed, assessed, and continuously monitored in alignment with the outsourcing organization’s risk posture to ensure that both they as the outsourcer, their full network of service providers, and other third parties with whom they share data are all fulfilling their security and privacy expectations laid out in their contracts.”
“For those individuals who have not yet locked down there credit history and files, it’s worth considering. Basic steps to do this are at: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place”
Frederik Mennes, Senior Manager Market & Security Strategy, Security Competence Center, OneSpan:
“2.2 billion records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible.”
“MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.”
“Technology is evolving. Next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology ensures the precise level of security for each level of interaction with the best possible experience for the user. Adaptive authentication utilizes AI and machine learning to score vast amounts of data. Based on patterns, it analyses the risk of a situation and adapts the security and required authentication accordingly.”
“Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.”
Terry Ray, Senior Vice President and Imperva Fellow:
“The emails and associated passwords were, unfortunately, made readily available to cybercriminals, who can now wreak havoc on the daily lives of the victims. This collection of credentials gives cybercriminals the ammo needed to attempt credential stuffing, password guessing and other iterative processes at account takeover, which is essentially giving cyber attackers a key to your front door.”
“Armed with the recent and past credentials, hackers could access consumers data, troll social media platforms to spread propaganda, cash in on hard-earned airline miles, sell contact data for spammers and even access bank accounts. To make matters worse, if consumers reused passwords at work, hackers would breaking into enterprise infrastructures to steal corporate data costing businesses millions in damages if that data were to get into the wrong hands.”
“This is why it is critical that consumers never reuse passwords across different accounts they hold, but also change these passwords consistently and set up dual-factor authentication to better protect themselves. If you have taken these precautionary steps, it is unlikely that cybercriminals will successfully break into your accounts.”
“They might temporarily lock you out as a result of attempting to brute force themselves into accounts. If your online services offer account change notifications and two-factor authentication I suggest you use these to further inform you of unusual account activity and make taking over your account more difficult.”
“Businesses should be extra vigilant over the next few weeks as these credentials make their rounds through the dark channels. Post credential leak account takeover attempts have historically spiked immediately following incidents like this. Successful logins using these credentials are difficult to identify, though technology does exist to assist IT Security teams.”
Sarah Whipp, CMO and Head of Go to Market Strategy, Callsign:
“The huge bounty should serve as the final nail in the coffin for the traditional password, but the truth is, it probably won’t. With over 2.2 billion unique username and password combinations, even if 1% of these records are utilized to compromise accounts, that is still nearly 25 million accounts in jeopardy. That is beyond alarming. Since humans are creatures of habit, we can expect many of the same combinations are reused across multiple accounts, adding even more insult to injury.”
“This is moving beyond a technological or cybersecurity argument. The breadth and depth of breaches are making this a humanitarian issue and we need to completely rethink our approach to digital identity and security. We may never be able to move completely away from the username and password, but we can take intermediary steps to make securing digital identity more of a global priority. This starts with encouraging further adoption of two-factor (2FA) and multi-factor authentication (MFA) that incorporates biometrics to help us take back control and protect our identities.”
“While we have come leaps and bounds in terms of biometric authentication technology, improving the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently not 100% secure. By incorporating both hard biometric characteristics like facial recognition, fingerprints and iris scanning; along with soft characteristics like how people type, move their mouse or hold their phone, we can start to create security protections both personal and unique to each individual.”
“Coupled with advanced machine learning and artificial intelligence, we can develop security profiles that will work with everything from simple feature phones all the way to cutting edge flagship devices. This way, we can begin to help guarantee the security of all customers, even when personal credentials are stored in plain text on the dark web.”
Thank you to these experts for their comments on Collections #2-5, their time, and their expertise!
Latest posts by Ben Canner (see all)
- What Enterprises Can Learn About Credential Stuffing From Chipotle - April 18, 2019
- Privileged Access Management Tips for the Modern Enterprise - April 17, 2019
- What Causes Password Compromise (And How to Prevent It) - April 16, 2019