It seems it’s been a rough morning for security.
While the team at Yahoo is scrambling to explain exactly how they managed to send over 100 million customers’ worth of data out for auction on the dark web, 5.5 million workers at the word’s top 1,000 publicly traded firms will be waking up this morning trying to figure out how all their personal information managed to get up on the web.
A British cybersecurity firm searched through data compromised by recent breaches of popular websites and managed to dig up those 5.5 million or so passwords — the data itself came from well-known breaches like the ones at LinkedIn, Dropbox, Ashley Madison and MySpace. Criminals looked for accounts people signed up for with a work email — and then cleverly realized these folks were reusing their passwords.
Ashley Madison — the adultery website that was hacked — was a particular treasure trove, according to researchers, as they were able to pull corporate emails and passwords of more than 200,000 people working for big companies.
Breaches are high cost endeavors, and they become more so the bigger they get. One IBM study found that the average cost of a breach is $4 million — not to mention loss in customer base.
Much of the data uncovered by Digital Shadows (the British cybersecurity firm behind this data) had not been previously leaked — 90 percent of the 5.5M usernames and passwords were newly available online.
“We were analyzing leaks going back to 2012, so I thought we would see a lot of duplicates, but only 10 per cent of credentials had been in previous leaks,” said Rick Holland, vice-president for strategy at Digital Shadows. “Whenever a breach becomes public, the first thing our clients ask is: ‘Are these details new or repackaged?’ So this is bad news.”
And Robert Capps, vice-president of business development at NuData Security, notes that it is getting worse as cybercriminals are building off of each other’s work.
“One frightening example is the ‘Facebook of Everything’ that China’s intelligence service is compiling from the personal data stolen over several high-profile US cyber breaches,” said Capps. “Their stated goal is to compile it into a massive Facebook-like network to build a profile of everyone, with more details than Facebook.”
Cybersecurity experts recommend employees be required to change passwords every eight weeks and use additional security.
“Rolling out multi-factor authentication is really important to minimize that risk,” Mr Holland said.