2.6 billion records containing email addresses and passwords have been exposed in a new data breach.[i] Within this collection were nearly 800 million unique credential combinations (close to 3x the population of the USA). Hackers know that most people have a nasty habit of using the same credentials across many (if not all) of the sites they use. The first thing they are likely to do is to look for other “low hanging fruit” opportunities to gather additional information. If they know your username (quite often your email address) and your password from one of the more “well-known” breaches such as Marriott incident (Nov. 2018), how many sites would they be able to access using those same credentials?
The method described above is how most of these username and password combinations were identified in the first place. “Credential Stuffing” is the practice of taking addresses and passwords found in prior breaches, merging the various combinations of the two from several sources, and “stuffing” them into a massive number of well-known sites on the Internet to see where they fit. As a technology security specialist, I know you’ve done it, and so have I. In the last 6 months, how many frightening emails have you received which include a reference to a valid password that you use (or used to use)? How many places did you utilize that same password? Have you changed all of them yet? Are they all different from one another?
How to mitigate risks associated with this threat:
Use 2-factor authentication (2FA) whenever it’s available. Google, Facebook, PayPal, Microsoft, and nearly every major internet destination offer some level of secondary authentication prevention. Leverage it!
Implement a personal password manager like Dashlane or LastPass. These tools use one strong credential to create, encrypt and store all of your other passwords. Most support 2FA, allowing you to lock-down access to the contents. Stay away from password managers that do not offer 2FA. Some password managers, such as Dashlane, allow you to update existing passwords automatically, generating complex passwords and using scripts to replace the current site password with the new one. These tools can save a lot of time covering your biggest areas of exposure.
At Exigent, our cybersecurity consultants can help to ensure that your password policies are strong and that you’re not overlooking areas which may be at risk. Please contact our customer care team if you want to review your security posture and get more information or cybersecurity training.
[i] source: https://haveibeenpwned.com