Every year it seems, the breaches are more frequent and so much bigger. There has been a dramatic increase in the number of attacks, over previous years, that exploited leaked credentials.
Being just past the year’s end, we at VeriClouds have decided that now is the time to recap the most notable breaches. In this post, we will slice and dice some of the statistics of leaked credentials attacks, and reveal what we can about the impacts on companies and individuals.
These are the most notable breaches that made the news in 2016.
|Company||When it Happened||# Credentials Lost|
Two billion, one hundred seventy-seven million, one hundred fifty (2,177,000,000) sets of credentials compromised! Obtained in only 6 attacks.
The Yahoo breaches are by far the largest and most publicized capture of credentials to date. 1.5 billion email logins and passwords have been exposed and likely sold to persons with criminal intentions.
After the LinkedIn breach in 2012, the hackers posted 6.5 million credentials online.
In the Myspace breach, the hackers posted username and password combinations in a hacker online forum.
Password Security – A Growth Industry
What can we expect in the near future? Steve Morgan, Founder & Editor-in-Chief of Cyber Ventures posted the following report on LinkedIn.
“ Thyotic, a provider of privileged account management (PAM) solutions and Cyber Ventures a leading research and market intelligence firm released a joint market report that evaluates the current and future state of password security. The report found that the total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.
According to the report, more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. Through data analysis, security experts at Thycotic and Cybersecurity Ventures concluded the potential for up to $6 trillion in cybercrime damages by 2021. While there is clearly a margin of error based on several variables—most notably the number of Internet of Things (IoT) devices— Cybersecurity Ventures and Thycotic believe that the password attack surface will inevitably grow by an order of magnitude over the next four years.”
The Power of Compromised Credentials
Breaches are particularly damaging when they are not discovered until years later.
Compounding the problem of delayed discovery is the all too common habit of reusing passwords. Password reuse makes the hackers’ efforts both easier and more rewarding. It’s not just VeriClouds singing this tune. An article on Betanews.com makes this observation –
For a corporation, protecting yourself means knowing if and when your employees’ credentials have been compromised. It is critical to detect when the compromise occurs so the credentials can be restricted or changed. This will render the credentials harmless and prevent the account takeover attack from succeeding.
Compromised Credentials in Action
The following 4 accounts of attacks using previously compromised credentials confirms a growing trend in cyber attack vectors. These types of exploits are not commonly reported because until recently, many companies never realized how the attack was launched.
Twitter was hacked in 2016 and had to explain that their security systems were not hacked. The attack succeeded because the hacker had valid credentials.
Cybercriminals allegedly used leaked email addresses and passwords from third-party sites to log into accounts of Fitbit wearable device users.
The Carbonite statement released after the attack was discovered:
The following is excerpted from a scmagazine.com article.
Hackers used login information to launch a “sophisticated password attack” to log into Citrix’s GoToMyPC user accounts, according to a company blog post.
Companies that are the victim of a breach are compelled to spend hours determining the extent of the damage. “Damage” may mean tainted public reputation, loss of business revenue and increased expenses. Many companies (some do not) find it necessary to make an unplanned investment in improved security.
Sorting out how the right strategy for managing the damage is yet another level of complexity. The company must figure out if the stolen information is unique, re-posted, or perhaps, outdated. It is estimated that 10% or more of all leaked credentials are duplicates.
How to figure out who to notify after a breach without spreading unnecessary reaction can be a very difficult undertaking.
Acquiring compromised passwords and login IDs is not a threat actor’s end game. The payoff comes when the compromised credentials are used to access accounts that hold sensitive information. Sometimes it is about money, sometimes the motive is more obscure.
The Yahoo deal with Verizon for $4.83 billion was renegotiated after the latest breach. Geekwire.com reported on Feb, 21st that Verizon closed the deal at $4.48 billion. That is a reduction of $350 million and sets the bar for what we may call the current cost of a breach.
Some individuals, perhaps high-profile, may have a membership they would prefer to keep private. Breached accounts mean there is no such thing as privacy.
Companies lose confidential information either through it being published or destroyed. Sometimes extortion is used and a ransom paid to get the information back
VeriClouds serves as a trusted security advisor to the Global 500 and other progressive enterprises, helping to safeguard their most important assets and improve their overall security posture. We have domain expertise in several vertical industries. Our industry-specific methodologies and assessments are aligned with our core competencies:
- Account Security
- Social Engineering Breach Assessment
- Penetration Testing