Industry experts have been providing comments on the Collection #1 data breach – the largest ever database of breached login details leaked on the Dark Web.
Details of the breach were outlined by cybersecurity expert Troy Hunt, a Microsoft Regional Director, in his blog.
Collection #1 is a set of email addresses and passwordsmade up of a number of different individual data breaches from thousands of different sources.
Hunt wrote that there were 772,904,991 unique email addresses listed and 21,222,975 unique passwords.
More information on the breach, and advice on what to do if you are affected, can be seen here.
Industry experts have been providing their views on the news:
Sarah Whipp, CMO and Head of Go to Market Strategy, Callsign
This case is just another example in a long list of hacks which prove that outdated password is no longer fit for purpose.
The Collection #1 database is just another nail in the coffin for the traditional password. Not even a ‘strong’ password can keep your data safe if it’s freely available on the Dark Web. That’s why in order to stop fraudsters in their tracks we must go beyond passwords and biometric security to the next stage, Intelligence Driven Authentication (IDA), which will be the panacea for protecting identities and defending against data breaches.
While we have come on leaps and bounds in terms of biometric authentication technology which has helped improve the protection of our identities online, the ability to collect sufficient biometric data tends to be quite difficult and consequently, it is also not 100% secure.
By incorporating both hard (facial recognition, fingerprints, iris scanning) and soft (behavioural characteristics e.g. how people type, move their mouse or hold their smart phone) biometrics, which are personal and unique to each individual, and combine them with advanced Machine Learning, businesses can guarantee the security of their customers’ data.
Sergey Lozhkin, Security Expert at Kaspersky Lab
This massive collection of data harvested through data breaches had been built up over a long period of time, so some of the account details are likely to be outdated now. However, it is no secret that despite growing awareness of the danger, people stick to the same passwords and even re-use them on multiple websites.
What’s more, this collection can easily be turned into a single list of e-mails and passwords, and then all that attackers need to do is to write a relatively simple software program to check if the passwords are working.
The consequences of account access can range from very productive phishing, as criminals can automatically send malicious e-mails to a victim’s list of contacts, to targeted attacks designed to steal victims’ entire digital identity or money or to compromise their social media network data.
We urge everyone who uses email credentials for online activity to take the following steps as soon as possible:
- Check if your e-mail account has been exposed online by going to https://haveibeenpwned.com/
- Change the passwords for your most important or sensitive accounts (such as internet banking, online payment or social media networks), preferably through a password manager
- Implement two-factor authentication wherever possible
Will LaSala, Director of Security Solutions and Security Evangelist, OneSpan
This is a colossal breach. Those impacted should act fast to change any reused passwords, as the exposed credentials can be used by criminals in credential stuffing attacks to cause maximum damage across multiple other accounts. And with criminals trading assets in underground forums, data from this breach could easily be cross referenced with information lying elsewhere to bypass authentication. For the more high-risk accounts like banking accounts, this poses a very real fraud threat.
If this doesn’t highlight the need for security reach beyond the password, then not much else will. We should know by now that using a combination of multiple, layered authentication technologies gives companies, and users, the best chance. Banks especially should be upgrading their authentication procedures to more intelligent methods to mitigate the fraud risk in the aftermath of attacks such as this. This technology should combine multiple authentication techniques, whether that’s fingerprints, behavioural biometrics or one-time passwords.
Dan Pitman, Principal Security Architect at Alert Logic
This particular set of stolen data seems to come from nearly 3,000 different websites from all over the globe. In this day and age, everyone needs to make the assumption that their email is in a list that attackers have access to; unless you created it today, probably. Hackers use these lists for many purposes from credential stuffing to identity theft. For the latter, the more data they have the more likely they can match details together from different lists to build up a profile.
The more cracked passwords in their database, the more likely they are to be able to match those to the hashes from other hacks and find a combination that works to access a system, this is the essentials of credential stuffing.
Users must consider the uniqueness and logic of their password for this reason. And herein lies the main challenge in producing a good one; make it personal and you’re exposing yourself to spear phishing attacks, make it more generic and it’s more likely to be cracked at some point which means the attackers can match your email to that password and use it to breach one of your personal accounts on these systems.
One significant risk here is that employees in organisations re-use passwords in their home and work lives, these kind of data breaches do not just affect individuals. When these kind of stories break organisations should put out a communication to employees requesting they change their password, especially if it is one used outside of work.
Everyone should be aware that a single word with some of the letters changed to numbers or punctuation is significantly less secure to cracking than a phrase or collection of semi-random words strung together.
The other option usually posited is to use a third-party service to generate and store your passwords, if using this method be sure to review the company providing the password service but also bear in mind that in the event of a breach this is only as secure as the website you use that password on. If they are not securely storing the password and their data is leaked anywhere you have used it is an easy target for hackers
Think about passwords as the opposite of the recycling Reuse, Reduce, Recycle – we want to dispose of passwords periodically, we want to lengthen passwords and increase the number of them we use and we absolutely don’t want to recycle them by changing that one on the end to a two.
Bill Evans, Senior Director at One Identity
The basics of mitigating the risk of such a breach are roughly the same for organisations as they are for individuals. The four basics are:
- Use multi-factor authentication. For individuals, if your bank offers it, enable it. If your bank does not offer it, change banks. For enterprises, you should enable it for all users. You must enable it for your superuser accounts/ privileged accounts
- Education: In order to protect your individual assets, you must stay abreast of your cybersecurity options. Enterprises must educate their users of the importance of cybersecurity. While not the most glamorous or exciting of activities, it has to be done, just like cutting the lawn or paying your bills.
- Privileged access management: Largely for enterprises, steps must be taken to protect the most valuable of assets
- Governance: Again, for enterprises, this is about ensuring the right people have the right access to the right stuff at the right time. An analogue here for end users is to make sure you use different passwords for each account and change them often
Nick Murison, Managing Consultant at Synopsys
Unlike previous high profile data dumps, where the data all comes from one compromised party, this appears to be a carefully curated collection of dumps from a large collection of compromises. A brief skim of the alleged sources suggests that these are smaller online entities that likely have not spent much time or resources on security. Some of them may not even be aware that they have been compromised some time ago, and that the data may originate from years earlier.
Such a large data leak underscores the need for all companies to invest in security as part of their software development. This includes both establishing activities such as threat modelling early in development and penetration testing as part of ongoing operational activities, as well as investing in tools and automation to ensure security defects are discovered as part of regular development and testing phases. With data protection laws becoming increasingly strict (e.g. GDPR), there is no excuse for a company not to be thinking about the risk of data breaches in 2019. This goes for companies developing their own systems as well as companies that decide to outsource development; you cannot outsource the responsibility you have to safeguard your customers’ data.
Darren Williams, Founder and CEO of BlackFog
The sheer number of email addresses and passwords exposed unfortunately doesn’t come as a shock. When it comes to accessing your personal data, hackers will always find a way to get in. Every single application or website we visit collects some form of data about our usage and identity. This is allowing hackers to attack from every angle – profiling your behaviour as you browse online on your devices and, in many cases, stealing your personal data.
This is why prevention should be the focus. Regrettably, consumers now need to accept that attackers will take their data; consumers need a way of preventing the unauthorised data from subsequently leaving their devices and falling into the hands of cyber criminals. This is no doubt the first of many stories to come throughout the year and the privacy debate will undoubtedly come to a head in 2019 as consumers begin to wake up to how their data is being used and how vulnerable it has become.