Last week an astounding 700 million logins and passwords were discovered when a misconfigured spam server leaked them on the internet. Research on the massive database by security analyst Troy Hunt of Have I Been Pwned fame indicates that the data is likely an aggregation of many previous breaches as well as various “dark net” databases. Ironically, the database was so easily accessed that it is likely it was downloaded an unknown number of times by both white and black hat hackers. On top of this massive database dump comes another very large breach and leak from website Taringa, billed as Latin America’s largest social network, with more than 28 million logins and passwords exposed in an encrypted (now cracked and decrypted) database.
What exactly are they doing with all these passwords?
If the actual process of stealing your identity weren’t so resource intensive and relatively tricky, you can bet a lot more of us would be lined up at the local Federal building to get a new Social Security number right after spending thousands of dollars to repair our credit and hundreds of hours trying to reclaim our digital lives. Instead, they are going for a much easier target of just stealing your email account, which they then use to spew more spam, phishing and malware traps. They have to do this as email filters are getting very good at spotting spoofed and fake email addresses, but your company email account is the perfect Trojan horse for getting past the guards at the gate. The real trick is doing it without being noticed.
One method that I’ve encountered several times is using rules to delete the evidence of their presence – a rule that automatically deletes sent emails, and if they are clever, any non-delivery or out of office replies a mailbox would normally receive in the course of spamming out hundreds of fake email messages every day. Fortunately for my clients afflicted by this nuisance, it’s easy to spot as the bot handlers are typically very careless when setting up the rules, usually deleting ALL emails coming and going, which is painfully obvious after a few hours.
The much more devious takeover is one that is clearly handled by a skilled human versus an automated script. After confirming access to your email account, they will scan your correspondence and look for likely targets, sending out emails requesting wire transfers, bank withdrawals, resetting of forgotten passwords, etc. While most banks and money managers are typically well-versed in spotting these types of attempts, your employees and vendors may not be, which can lead to some very regrettable transactions. This is how many data breaches start – a hacker pretending to be someone with privileged access successfully fooling someone else with privileged access into resetting a key password.
On the flipside, security researchers are using these gigantic databases to research password behavior and to build websites like Have I Been Pwned to inform and educate people on proper password discipline. They are also planning to use the decrypted login and password pairs to build a database that can be used by websites to check if a new password entered has already been compromised and warn against or prevent the user from using it, a new best practice I wrote about a few weeks back. It will be some time before this new practice comes into widespread usage – until then, you should adhere to the #1 Rule of Passwords: never use a password more than once.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net