Old or New?
What kind of data do you want to find out has been exposed after your employees’ or customers’ credentials have been compromised? Surprisingly, we frequently hear our prospects say that they only want to see the newest data. After all, there’s not much you can do to protect the old data, right?
While this data is, of course, critical, it fails to take into account data that was once critical years ago. But can companies reduce their risk by analyzing both new and old data?
Absolutely. The rationale is simple. As increasingly more websites and applications request login registration, people simply can’t recall the many unique passwords they use between accounts. To make things easier, they reuse passwords amongst multiple sites, recycle old passwords and/or make only slight modifications to existing passwords.
Password reuse isn’t an isolated problem. Twenty-percent of people admit to reusing passwords and 27 percent say they use a password that is nearly identical to other account passwords. They believe that by changing a single number, using caps or other similar slight modifications, they have outsmarted the bad guys.
Not so fast. Those criminals may not be smarter than you, but they know what technology to use to make their jobs much easier.
How Criminals Exploit New and Old Passwords
Cyber criminals aren’t what many people envision when they think of online predators. These criminals are good at what they do. They make a living off of their efforts and they use sophisticated tools and technologies to crack passwords at breakneck speed. Some such tools utilize algorithms to analyze personal information scattered amongst public and private accounts, including social media. They can run attacks against thousands of accounts in seconds and do so every minute of every day.
Once a threat actor has successfully compromised an online account, he can usually get a decent return on his investment immediately as well as continually into the future. In a common technique called credential stuffing, criminals load lists of stolen credentials into automated tools that test the stolen passwords against thousands of commercial web or mobile apps and sites. If a person uses the same password on more than one account or recycles old passwords, the criminals are likely to discover it. Spycloud analyzed some of the most popular credential stuffing tools in our blog post: Criminals are using these tools to “crack” your website.
LinkedIn Breach Wasn’t the End of the Story
One of the more public examples of credential stuffing occurred during the 2012 LinkedIn breach. A Dropbox employee’s LinkedIn password was exposed and criminals successfully tested it against their Dropbox password as well.
The threat actors were able to steal not only the original victim’s credentials but 60 million Dropbox users’ credentials as well by infiltrating the corporate network. Those credentials were then sold on the dark web to be re-tested again and again by even more criminals. As TechCrunch put it, “It only took a single reused password to jeopardize millions of customer accounts.”
Here’s the kicker: Those leaked credentials from the LinkedIn breach from 2012 are still being used in credential stuffing attacks with success.
Why? Because so many people reuse those old passwords, rationalizing that the breach was a long time ago and they haven’t used those credentials in years. Criminals anticipate that exact attitude and are patient. Their technology can test and retest new and old passwords indefinitely at massive scale. In effect, threat actors are literally banking on the fact that someone will resurrect an old password because it happens all the time.
Prevention and Damage Control
LinkedIn and Dropbox are big companies and were able to survive such a debacle. They have the resources to recover, even if their brands were somewhat tarnished. However, smaller companies may not share the same fate. One study found that as many as 60% of hacked small- and medium-sized businesses go under within 6 months of a data breach.
The faster companies can discover password exposures, the less damage may occur. They can shut down those accounts indefinitely and force the exposed employee to choose a different and stronger password. They can use software that will ensure all passwords vastly unique, never been compromised, and meet NIST guidelines. We recommend using Multi-factor Authentication and password managers as added layers of protection for both corporate and personal accounts.
Clearly, old data is necessary. The best way for companies to combat the risk is to constantly monitor employee and customers’ passwords for exposure. Companies need to have access to data, old and new, to protect their employees and customers from credential stuffing attacks.
While educating employees about the risks of reusing, recycling and making only slight changes to passwords is important, there’s no way to ensure everyone will comply. It only takes one employee’s lax security attitude or belief that their password is unique “enough” to compromise the entire company. Taking steps now will ensure your employees, customers, reputation and brand are protected now and into the future.