The Register has reported that close to 620 million accounts from 16 hacked websites, including MyFitnessPal, MyHeritage, Animoto and CoffeeMeetsBagel, are now for sale on the dark web. The information primarily includes account holder names, email addresses and hashed passwords, however different sites included unique data such as location, personal details and social media authentication tokens.
According to the seller of these credentials, the data for one of the websites has been purchased by at least one person. What does this mean for those affected and what measures can be taken to prevent a recurrence. Leading experts weight in.
Commenting first is Jonathan Bensen, interim CISO, Balbix, who explain show the data breaches happened: “The bulk of these credentials were acquired from data breaches that occurred during 2018, meaning that the companies affected, such as Dubsmash, may face fines up to 4 percent of annual global turnover or €20 million under GDPR for compromising the information of EU citizens.”
The data losses relate to security weaknesses, according to Bensen: “What is concerning is that several breached sites failed to disclose these attacks, demonstrating that the companies either were unaware or decided to not reveal the incidents.”
As to how these incidents can be prevented, Bensen explains: “The key to preventing data breaches is to leverage predictive security tools that employ artificial intelligence and machine learning to analyze the tens of thousands of data signals arising across all IT assets. From all that data, teams must prioritize which vulnerabilities to fix first, based on risk and business criticality. Companies must also learn to be transparent when discovering security incidents and report them as soon as possible in order to mitigate sanctions and maintain customer trust.”
That these attacks happen is a common occurrence, Anurag Kahol, CTO and founder, Bitglass explains: “So far in 2019, approximately 2.2 billion email addresses and associated passwords have been compromised in “collections” of stolen credentials. Now, about 617 million online account details from sixteen different websites’ data breaches have been put up for sale on the Dream Market cybersouk on the dark web.”
Kahol offers some general advice for users: “When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe. Leaked credentials leave people vulnerable to account hijacking across all services where they recycle their usernames and passwords.”
He also notes the risks that businesses face: “Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless password habits. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are. Fortunately, security technologies like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure enterprise data is truly safe.”
Also weighing in on the subject, is Stephan Chenette, CTO and co-founder, AttackIQ. He also considers the re-use of passwords: “Unfortunately, it is quite common for people to reuse the same login credentials for accounts across a wide range of services in different industries including the financial, healthcare, retail and education verticals. If a malicious actor was able to obtain the email address and crack a hashed password for just one of these accounts, they could potentially gain access to multiple accounts with sensitive information.”
He also sends out a warning for consumers to become more tech savvy: “Consumers must start to realize that companies they share personal data with are failing to provide adequate cybersecurity protections, and should therefore exercise caution in determining which companies they give their information to.”
And this warning also applies to businesses: “All organizations trusted with sensitive consumer data should continuously assess the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively. It shouldn’t take a massive breach such as this to make companies realize they need a more proactive approach to strengthen security.”
