Last year alone, SpyCloud observed a 70% password reuse rate among users exposed in data breaches. In addition, our research found 64% password reuse of Fortune 1000 employees are reusing passwords across multiple sites. Reusing passwords is one sure-fire way for criminals to be able to easily access your accounts as the work is already done for them to impersonate the actual user. So what should you do if your password is stolen and exposed to criminals to use for fraud and other cybercrime? At SpyCloud, that’s something we think about a lot.
SpyCloud maintains the largest and most up-to-date collection of recaptured data from breaches, malware victims’ devices, and other underground sources. A portion of these credentials are found in the same combolists that criminals are using today in successful credential stuffing attacks. Others are from sources that only SpyCloud has obtained access to that help thwart account takeover (ATO) and prevent fraud before the assets are available as commodities on the criminal underground. Should your credentials ever appear in our dataset, we recommend you take immediate action to protect yourself.
But how do you know if your data has been exposed? Check your exposure here – simply enter your email address and SpyCloud returns insights about your darknet exposure, including password exposures, malware infections, stolen cookies, PII, and other statistics that give context around your corporate and personal risk.
What is a Data Breach vs. What is a Data Leak
To understand the implications of stolen passwords, it helps to know how they get exposed in the first place, and how criminals use passwords found in data breaches to gain access and launch further cyber attacks.
So what is a data breach? The data breach definition is information that is stolen through unauthorized access to a network or system. Data breaches are common and costly:
There were 1,802 publicly reported data breaches in 2022, just 60 events shy of the all-time high set in 2021. These breaches impacted 422.1 million people, an increase of 41.5% from 2021.
The average data breach cost reached an all-time high of $4.35 million in 2022, a 2.6% increase from last year’s average of $4.24 million.
The most common initial attack vector for data breaches is compromised credentials, responsible for 19% of breaches (at an average cost of $4.5 million).
It’s also worth mentioning the difference between the questions “what is a data breach” and “what is a data leak?” While a data breach refers to data that was stolen, the data leak definition is information exposed by an internal error or vulnerability. However, no matter the intention, whether it is malicious or by accident, exposed credentials pose serious threats to organizations and better cyber hygiene by all users is a great first step in combating these threats.
The Implications of Exposed Passwords
Cybercriminals use passwords exposed in data breaches to launch attacks on enterprises, including account takeover and credential stuffing attacks. According to Javelin Research from 2022, “account takeovers increased by 90% last year, causing an estimated $11.4 billion in losses.” With someone’s passwords exposed in a data breach in hand, criminals can access existing accounts to make unauthorized transactions, siphon funds, and steal corporate data or PII to use for other purposes, or simply to sell to other attackers on the dark web.
Credential stuffing is another avenue bad actors use to gain unauthorized access to organizations. This refers to the act of testing large sets of stolen credentials against targeted applications or web interfaces. A combolist is one of the key components of credential stuffing attacks; it is a list of previously breached credentials which are loaded into automated brute-force tools to test username and password combinations against thousands of sites at a time with little to no manual intervention needed. These tools can check for common password variations as well, which can prove to be successful with the human behavior of reusing passwords across multiple accounts.
Once bad actors gain access to organizations, they can do more than just take over accounts – they can also launch follow-on attacks including ransomware. In 2021 there was an almost 13% increase in ransomware-related breaches. Ransomware was present in 25% of breaches – a jump as big as the last five years combined! While passwords can seem innocuous and also cumbersome to come up with ones that aren’t easily hacked, the stakes are high when it comes to the impacts they can have when stolen and an organization is breached using the password. That’s why it’s so critical to ensure password security and hygiene, especially when you are notified that your password was exposed as part of a data breach.
Four Steps to Take After Your Password is Stolen
In terms of remediation, your first order of business is to change the password found in a data breach. But that’s not all you need to do in order to contain the damage. Failure to act quickly may result in the compromise of additional accounts, especially if you reuse passwords – even if it’s just part of the password that’s easy enough for criminals to suss out the rest. But even if you don’t reuse passwords, your compromised information may be enough for criminals to pivot off of to then target other accounts. We suggest following this checklist to protect yourself from potential future attacks.
Here is what to do when you are alerted that your password was part of a breach and available for criminals to use:
Change the compromised password immediately. We highly recommend the use of a long, complex password containing random letters, numbers and special characters. Another suggestion is passphrases where it can be easy for you to remember but difficult for someone else to crack: $andwichesAr3B3tt3rw!thMay0.
Change all variations of the compromised password on any of your accounts and never use it again. It’s not enough to monitor other accounts using the same or a similar password for suspicious activity. If an attacker has even a few characters of your password, they can crack the entire password. Using your pet’s name and only changing out the numbers that may follow will not be enough to thwart these individuals who stay a step ahead.
Enable multi-factor authentication (MFA) for all of your accounts where MFA is an option. This is an excellent way to ensure your credentials and passwords have another level of approval in order to access accounts and networks. However it is not a silver bullet, but more so an additional layer that supports better defenses.
Implement a password manager so all of your passwords are unique and easily managed. It’s common for people to have anywhere from 80-100 online accounts, each requiring their own unique password. Most password managers auto-generate complex passwords. Any password that is easy to remember is also easy to guess. This is why the strongest passwords are automatically generated.
Top Tips for Stronger Passwords
Password hygiene seems like a simple concept, but as we mentioned above a 70% password reuse rate for users with more than one password exposed in the last year is a startling stat reflecting that there is still more work to be done. To avoid your password being compromised, follow our recommendations for stronger passwords – and stronger account protection overall:
1. Choose a complex, 16+ character password or passphrase
Our testing revealed that passwords with 16+ random letters, numbers and characters, regardless of hashing algorithm used, would require centuries to crack.
Bonus Pro-tip: Don’t use common words or phrases in your passwords. In fact, the more random, the better! For example, don’t think that you’re the only one using your favorite sports team name in your passwords. SpyCloud’s recaptured data includes millions of passwords including sports teams, from soccer to football to baseball. We cannot stress the importance of ensuring the complexity of your password.
2. Make passwords unique across accounts
Use a different, complex password for every online account.
Bonus Pro-tip: This is where the aforementioned password manager will come in handy. It takes the guesswork out of creating unique passwords, and also allows you to securely store passwords. However, do not make your master password for this tool easy to guess!
3. Don’t mix business logins with personal accounts
Mixing business with pleasure means that a breach of a work site can jeopardize your personal life and vice versa.
Bonus Pro-tip: We also recommend that you take caution when accessing business-related applications on personal devices. It’s one thing to have your password stolen, but it can cause an even bigger security risk if the personal device you use has a malware infection that can siphon more than just login credentials.
4. Use multi-factor authentication (MFA) whenever prompted
Though MFA is not unhackable, requiring users to provide something they know (a password) plus something they are (biometrics) or something they have (smartphone token) will deter most criminals.
Bonus Pro-tip: When you receive an authentication push on your second device, make sure it truly came from your own attempt to access an application. We’re seeing cyberattacks involving bypassed MFA through “prompt bombing”, an annoying cyber tactic aimed at getting a user to click on a malicious link due to MFA fatigue. This is yet another way criminals take advantage of human behavior to gain unauthorized access into an organization.
The Risk of Darknet Exposure
SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII.
Our Check Your Exposure tool offers detailed insight into your personal and company risk. While knowing if your password is exposed on the darknet is important, cybercriminals unfortunately have access to so much more than that. With our new tool, you can see just some of these key risk indicators:
Company exposures
The number of times any email address from your domain has appeared in data breach or malware records recaptured by SpyCloud from the darknet. These could be exposures with or without passwords and sensitive PII. This matters because when your employees’ data is exposed, whether in a third-party breach or siphoned by a malware infection, your organization’s risk of account takeover, fraud and follow-on attacks like ransomware increases.
Exact password reuse
This is a measure of duplicate passwords within the set of your employees’ exposed passwords recaptured by SpyCloud from the darknet. In other words, the number of non-unique passwords over the total number of exposed passwords for users associated with your domain. Once a criminal acquires an employee’s login credentials for one site, they automate credential stuffing attacks for a variety of other sites, in hopes that the individual reuses passwords often. Employees who reuse passwords make it easy for criminals to find an entry point into the organization.
Number of breach appearances
This is the number of third-party breaches in which your employees’ data has been exposed. Even if an employee has only appeared in one breach, if they’re reusing the same credentials across multiple sites, criminals have a potential entry point to other corporate applications. While your employees appearing in a third-party breach is outside of your organization’s control, what you can do is react quickly to SpyCloud alerts of new exposures by automating the remediation of matching credentials.
Malware-infected employee records
When your employees’ email addresses appear in botnet logs, this indicates an infostealer malware infection on managed or unmanaged device(s) they are using to access corporate applications. These high-severity exposures make your enterprise vulnerable to ransomware attacks and other critical threats.
SpyCloud’s solutions extend beyond employees to truly monitor and secure your entire attack surface. In addition to monitoring for employee credentials, we also offer solutions that automatically monitor and alert you when an executive’s passwords or third-party vendor credentials are exposed, allowing you and your team to leverage this actionable date to remediate properly.
Armed with this information and knowing it’s the same data that cybercriminals have and use, you can take immediate action to prevent account takeover, ransomware attacks, and online fraud.