2016 Breach Roundup

Every year it seems, the breaches are more frequent and so much bigger. There has been a dramatic increase in the number of attacks, over previous years, that exploited leaked credentials.

Being just past the year’s end, we at VeriClouds have decided that now is the time to recap the most notable breaches. In this post, we will slice and dice some of the statistics of leaked credentials attacks, and reveal what we can about the impacts on companies and individuals.

Leaked Credentials

These are the most notable breaches that made the news in 2016.

Company When it Happened # Credentials Lost
Yahoo 2013 1,000,000,000
Yahoo 2014 500,000,000
LinkedIn 2012 117,000,000
Myspace 2016 427,000,000
Tumblr 2013 65,000,000
Dropbox 2016 68,000,000

Two billion, one hundred seventy-seven million, one hundred fifty (2,177,000,000) sets of credentials compromised! Obtained in only 6 attacks.

The Yahoo breaches are by far the largest and most publicized capture of credentials to date. 1.5 billion email logins and passwords have been exposed and likely sold to persons with criminal intentions.

After the LinkedIn breach in 2012, the hackers posted 6.5 million credentials online.

In the Myspace breach, the hackers posted username and password combinations in a hacker online forum.

The hackers responsible for the Tumblr breach made off with 65,000,000 email addresses and passwords.
Dropbox hackers obtained files with email addresses and “hashed” passwords.

Password Security – A Growth Industry

What can we expect in the near future? Steve Morgan, Founder & Editor-in-Chief of Cyber Ventures posted the following report on LinkedIn.

Thyotic, a provider of privileged account management (PAM) solutions and Cyber Ventures a leading research and market intelligence firm released a joint market report that evaluates the current and future state of password security. The report found that the total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.

According to the report, more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. Through data analysis, security experts at Thycotic and Cybersecurity Ventures concluded the potential for up to $6 trillion in cybercrime damages by 2021. While there is clearly a margin of error based on several variables—most notably the number of Internet of Things (IoT) devices— Cybersecurity Ventures and Thycotic believe that the password attack surface will inevitably grow by an order of magnitude over the next four years.”


The Power of Compromised Credentials

Breaches are particularly damaging when they are not discovered until years later.

Compounding the problem of delayed discovery is the all too common habit of reusing passwords. Password reuse makes the hackers’ efforts both easier and more rewarding. It’s not just VeriClouds singing this tune. An article on Betanews.com makes this observation –

“ Employees that reuse corporate emails and passwords put their organization at risk following a breach by the lack of security that stems from using credentials that have been compromised. A new report has found that amongst the largest 1,000 organizations worldwide, there are over five million leaked credentials on the web that could be used by attackers to gain access to sites or even launch new attacks.”
For a corporation, protecting yourself means knowing if and when your employees’ credentials have been compromised. It is critical to detect when the compromise occurs so the credentials can be restricted or changed. This will render the credentials harmless and prevent the account takeover attack from succeeding.


Compromised Credentials in Action

The following 4 accounts of attacks using previously compromised credentials confirms a growing trend in cyber attack vectors. These types of exploits are not commonly reported because until recently, many companies never realized how the attack was launched.


Twitter was hacked in 2016 and had to explain that their security systems were not hacked. The attack succeeded because the hacker had valid credentials.

“We are confident that these usernames and credentials were not obtained by a Twitter data breach – our systems have not been breached. In fact, we’ve been working to help keep accounts protected by checking our data against what’s been shared from recent other password leaks,” a Twitter spokesperson said.



Cybercriminals allegedly used leaked email addresses and passwords from third-party sites to log into accounts of Fitbit wearable device users.

“This is not a case of Fitbit emails or servers being hacked, and it would be inaccurate to state or imply otherwise. Our investigation found that the accounts were accessed by an unauthorized party using previously stolen or compromised credentials – email addresses and passwords – from other third-party sites unrelated to Fitbit.”



The Carbonite statement released after the attack was discovered:

“As part of our ongoing security monitoring, we recently became aware of unauthorized attempts to access a number of Carbonite accounts. This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.”


Citrix GoToMyPC

The following is excerpted from a scmagazine.com article.

Hackers used login information to launch a “sophisticated password attack” to log into Citrix’s GoToMyPC user accounts, according to a company blog post.

“The attack method appears to be a similar approach to the recent large-scale effort used to access GitHub accounts last week. Attackers used credentials attained through stolen password repositories to gain access to user accounts of the web-based code hosting platform.” The GitHub attackers used “lists of email addresses and passwords from other online services that have been compromised in the past,” the company said.


Breach Impacts

Companies that are the victim of a breach are compelled to spend hours determining the extent of the damage. “Damage” may mean tainted public reputation, loss of business revenue and increased expenses. Many companies (some do not) find it necessary to make an unplanned investment in improved security.

Sorting out how the right strategy for managing the damage is yet another level of complexity. The company must figure out if the stolen information is unique, re-posted, or perhaps, outdated. It is estimated that 10% or more of all leaked credentials are duplicates.

How to figure out who to notify after a breach without spreading unnecessary reaction can be a very difficult undertaking.

Breach Consequences

Acquiring compromised passwords and login IDs is not a threat actor’s end game. The payoff comes when the compromised credentials are used to access accounts that hold sensitive information. Sometimes it is about money, sometimes the motive is more obscure.

$$$ Gone

The Yahoo deal with Verizon for $4.83 billion was renegotiated after the latest breach. Geekwire.com reported on Feb, 21st that Verizon closed the deal at $4.48 billion. That is a reduction of $350 million and sets the bar for what we may call the current cost of a breach.

Privacy Lost

Some individuals, perhaps high-profile, may have a membership they would prefer to keep private. Breached accounts mean there is no such thing as privacy.

Data Loss

Companies lose confidential information either through it being published or destroyed. Sometimes extortion is used and a ransom paid to get the information back


VeriClouds serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture. We have domain expertise in several vertical industries. Our industry-specific methodologies and assessments are aligned with our core competencies:

  • Account Security
  • Social Engineering Breach Assessment
  • Penetration Testing

Check out our Compromised CredentialsSocial Engineering and  Penetration Testing Service

We Accept Only Business Email Addresses – No Free or ISP Email Addresses

Please enter a business email address to obtain proper delivery of the product. If you do not have a business email address or experience any issues during the registration process, please send an email to support@vericlouds.com