Another day, another digital “hack.” Okay, that’s clearly an exaggeration, but we’re only halfway through 2016, and we’ve already seen an unprecedented number of high profile data breaches occur.
Ransomware became mainstream as thieves crafted craftier methods of hitting their targets, and businesses began to experience what it’s like to have your data literally held hostage. And pay they did, including Hollywood Presbyterian Hospital, which shelled out a $17,000 ransom to regain access to their highly sensitive healthcare files.
LinkedIn hit the hacking news — again — when it was revealed that the hacker Peace (remember that name) was shopping the emails and passwords of more than a hundred million LinkedIn users on the dark web.
Not even the IRS got away unscathed, reporting during tax season that an automated hack had been stopped, one which saw cyber criminals using previously stolen social security numbers and other personal data to generate the PINs needed for online income tax filing (and access).
And, in what feels like the insult to end all insults, top — and we mean TOP — tech executives were targeted, with hacking group OurMine cracking the social media accounts of Mark Zuckerberg (CEO and co-founder of Facebook), Sundar Pichai (CEO of Google), Jack Dorsey (CEO and co-founder of Twitter), and Marissa Mayer (CEO of Yahoo).
Speaking of Yahoo…
Well, Yahoo is in the news again, and not just for its recent $4.8 billion dollar sale to Verizon Communications. Yahoo’s joined the ranks of LinkedIn and MySpace and so many others: it’s been hacked. And remember that hacker Peace we mentioned above? Not only is he behind this recent dark web information “dump and sale,” he’s the same hacker behind the LinkedIn data release, as well as what’s being called the biggest hack in the history of cybercrime: MySpace.
Don’t scoff. While MySpace might not have taken off as a successful social platform, success, as we know, is relative. According to a recent TechCrunch article, “…(reports say) that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale.”
Not only that, but that stolen data was from a time when security around log-in authentication and Customer Identity Management processes didn’t even come close to where we are today. And that’s where the problems lie.
How is Stolen Password Information Used?
The reason cybercriminals purchase stolen login and password data from the dark web is no different than any “business” purchase, really: return on investment. Reporting on a recent experiment using the dark web, Infosecurity Magazine revealed that how the ripple effect of stolen personal data works. In the experiment, a digital identity for a fictitious bank employee was created. There was also a fake functional web portal for the bank and a Google Drive account. The team then leaked “phished” Google Apps credentials to the Dark Web and waited and watched. It didn’t take long (italics ours): “There were five attempted bank logins and three attempted Google Drive logins within the first 24 hours; and the first file was downloaded within 48 hours of leaking the credentials… Overall, almost all (94%) of hackers who accessed the Google Drive uncovered the victim’s other online accounts and attempted to log into the bank web portal. About 12% of hackers who successfully accessed the Google Drive attempted to download files with sensitive content. And several cracked encrypted files after download.” Stealing passwords is never about accessing someone’s private emails. It’s about the scope of damage that can be done with that information, far beyond a Yahoo or Gmail account.
The reason we here at Gigya are working so hard to break people’s (and companies’) reliance on password and PIN driven Customer Identity Management couldn’t be clearer. From the beginning of time, where there has been prosperity, there has been crime. That’s never going to change. What must change, however, is how we protect our sensitive online data. Old-school passwords and email logins just don’t cut it in today’s rapidly evolving tech world. If you would like to learn more about what we can do to help your clients remain secure online, check out our Registration-as-a-Service as a way to move beyond passwords and secure your customer’s data.
By Jason Rose