The recent announcement made in September by Yahoo! puts the organisation amongst the biggest data breaches in history with at least 500 million accounts compromised.
Yahoo! is not alone; earlier this year 427 million stolen MySpace passwords were posted on the dark web for sale, and the individual posting of the database was made by the same cyber-criminal who was selling the data of more than 164 million LinkedIn users just one week prior.
While the methods of infiltration are different, the common factor between them are the attackers using stolen, valid credentials to gain access, and consumers have been affected by their access credentials being exposed and sold on the dark web.
According to the 2016 Verizon Data Breach Investigations Report, 63% of confirmed data breaches involved the use of weak, default or stolen credentials.
If organisations don’t take action to safeguard their resources and data, they too are leaving themselves at risk. Businesses need to take notice of what has been happening to other organisations and act quickly to minimise the risk of being the next victim.
Credential crisis
These data breaches took months to uncover, none have been simple ‘hit and run’ incidents – rather they have been break-ins with intent. The bad actors took time to filter through the sites and access a variety of consumer data and information.
>See also: Five keys to preparing for a data breach
In some ways we can see a knock-on impact. Once a credential set has been compromised by an attack hackers are then either manually, or employing bots to test this across a number of sites – maximising on the knowledge that users often replicate their logins for multiple accounts.
Once inside, the attacker will elevate their level of access, and begin using legitimate or newly created credentials to move from one system to another, as a method of recon, as they move towards completing their mission to steal the most valuable data.
The problem with passwords
The number of passwords users are required to remember is only growing as our lives are increasingly online, and to keep life simple, users are adopting the same login credentials across multiple sites.
Research released in September this year showed that around 90% of consumers understand there are risks in password reuse and yet alarmingly 60% continue to do it anyway.
>See also: The 10 biggest data breaches and their causes
Moreover, passwords are often basic in their make-up and therefore extremely vulnerable.
In early September news broke of the cyber-criminal activity to the ‘Russian Yahoo!’, Rambler.ru. A shocking finding in the breach was not just the volume of accounts compromised, but the fact that the most common passwords included terms such as “asdasd,” “123456,” and “000000”.
Lessons from the leaks
For too long organisations have relied on username and passwords as the single form of access control and it is no longer adequate to protect confidential information or personal data.
These attacks should serve as a hefty reminder to businesses that they need to continuously innovate in their approach to authentication, taking themselves far beyond traditional username and password and even vanilla two-factor approaches.
>See also: Six steps to avoid becoming a data breach statistic
The cumbersome early days of multi-factor authentication cast a shadow on the technology, but times have changed and options are now more robust, whilst being less invasive.
Smart organisations are already moving to stronger methods of user authentication, including adaptive access control techniques as a way of safeguarding credentials.
It is imperative that more organisations take this lead and look to implement adaptive access in a way that, in addition to the credentials, performs pre-authentication checks (looking at the geo-location of the login attempt, type of web browser they are using, and the IP address they’re logging in from) and risk-analysis as part of the authentication process.
An example could be requiring something a user knows (credentials), something a user has (a recognised or registered device) and something the user is (a biometric). This helps render stolen credentials completely worthless across the breached site and maintains a simple user experience.
Preparing for the future
Cyber-attackers will continue to become even more sophisticated as their methods become more robust. Therefore it’s imperative organisations prepare and make sure strong defences are in place yet are still user-friendly.
As we look forward to 2017, it is critical that security continues to innovate and keep ahead of the attackers.
Critical business information and personal data must be protected by more than just the password, or even basic two factor methods, and the future of our personal and professional online lives must move away from just the two box login that we’ve grown so complacent towards.
Sourced by James Thompson, VP of EMEA, SecureAUTH
