Written by: Daniel Haurey on 02/02/19

An image of a cybersecurity criminal or hacker

2.6 billion records containing email addresses and passwords have been exposed in a new data breach.[i]  Within this collection were nearly 800 million unique credential combinations (close to 3x the population of the USA). Hackers know that most people have a nasty habit of using the same credentials across many (if not all) of the sites they use. The first thing they are likely to do is to look for other “low hanging fruit” opportunities to gather additional information. If they know your username (quite often your email address) and your password from one of the more “well-known” breaches such as Marriott incident (Nov. 2018), how many sites would they be able to access using those same credentials?

The method described above is how most of these username and password combinations were identified in the first place. “Credential Stuffing” is the practice of taking addresses and passwords found in prior breaches, merging the various combinations of the two from several sources, and “stuffing” them into a massive number of well-known sites on the Internet to see where they fit. As a technology security specialist, I know you’ve done it, and so have I.  In the last 6 months, how many frightening emails have you received which include a reference to a valid password that you use (or used to use)? How many places did you utilize that same password? Have you changed all of them yet? Are they all different from one another?

How to mitigate risks associated with this threat:

Use 2-factor authentication (2FA) whenever it’s available. Google, Facebook, PayPal, Microsoft, and nearly every major internet destination offer some level of secondary authentication prevention.  Leverage it!

Implement a personal password manager like Dashlane or LastPass.  These tools use one strong credential to create, encrypt and store all of your other passwords. Most support 2FA, allowing you to lock-down access to the contents.  Stay away from password managers that do not offer 2FA.  Some password managers, such as Dashlane, allow you to update existing passwords automatically, generating complex passwords and using scripts to replace the current site password with the new one. These tools can save a lot of time covering your biggest areas of exposure.

  • Don’t ever use the same combination of credentials across multiple sites. This has become by far, the most successful method of gaining access to sites using data leaked from others.
  • If you’re a business, take a strong stance on password policies. For those of you under the scrutiny of any regulatory compliance, most have guidelines or rules that require you to implement complex, unique and regularly-expiring credentials.
  • Don’t be the weak link. Security is a top-down problem and stakeholders must take the initiative to set an example for the rest of their staff. We also offer training for your employees. If you are interested, we are interested!

At Exigent, our cybersecurity consultants can help to ensure that your password policies are strong and that you’re not overlooking areas which may be at risk. Please contact our customer care team if you want to review your security posture and get more information or cybersecurity training.

[i] source: https://haveibeenpwned.com