Hey everyone, Steve here again, and I’ve been doing some thinking…
The thing about Uber’s data breach that the pundits are overlooking is this:
In the case of a hacker MFA bombing an Uber employee in the middle of the night, wouldn’t the first factor need to be compromised first?
If an MFA prompt comes before entering in a password or is “passwordless” and doesn’t require one at all, then that needs to be called out as an ineffective security posture as well.
Ergo, a credential must have been involved in the authentication sequence somewhere. We don’t know yet whether that credential was compromised, leaked, stolen, etc…
Who cares if the hacker was 18 or 58?
A lot of the pundits and social media that I have been reading today point out that the hacker professed to be 18 years old. They point out that admin credentials were stored in PowerShell scripts or in plain text. I do not condone this practice which made the blast radius of this hack much larger than it needed to be.
Another thing we know is that there are 2,184 compromised credentials from the Uber.com domain in the VeriClouds database, with at least 625 of them newly reported since 9-Sept, 2022. (Obviously masked and encrypted for privacy. Why?) I may be wrong, but one of those leaked credentials must have been used by the 18yo hacker to assist in bypassing the MFA controls that were supposed to protect the company from such attacks.
There are 2,184 compromised credentials from the Uber.com domain in the VeriClouds database
The bottom line
The bottom line is this. Identity threat intelligence complements MFA and passwordless solutions. To be more precise: CredVerify provides identity threat intelligence for stronger authentication and helps stop preventable data breaches.
CredVerify provides identity threat intelligence for stronger authentication and helps stop preventable data breaches.
What you can do about it
No doubt vendors will come around and try to help you. (VeriClouds is also a vendor, we can help you too!) Journalists will no doubt recommend that you search Have I Been Pwned to see if your email was involved in this or any other breach. I wrote this blog post on Medium a while back called Why ‘Have I Been Pwned’ is not a security solution (And it never will be) wherein I outline reasons why relying on HIBP is not going to help you or your organization, and in fact may do more harm than good.
We at VeriClouds believe that cybersecurity leaders need to be proactive in integrating cyber threat intelligence into their authentication modules and identity systems. Being proactive protects users and their data before the harm is done, and can potentially help organizations avoid large fines and reputational damage, too.
Join me for a conversation with VeriClouds founder and CEO, Stan Bounev, and Richard Bird AKA “The guy with the bow-tie” to discuss how organizations should be thinking about and acting on ITDR with more urgency. All are welcome and can register here.
If you have questions or just want to hit back at me, send me an email at stevet at vericlouds dot com, follow me on Twitter @SteveTout or schedule time on my calender here.