Following the news that 620 million stolen account details from 16 hacked sites have been posted for sale on the dark web today, IT experts commented below.
Jake Moore, Cyber Security Specialist at ESET UK:
“This is typical of what happens once there is a large breach of passwords. After we saw “Collection #1-5” released in the wild last month, this news is sadly inevitable. However, the value of this database is massively reduced once all the users’ passwords are changed as the details cannot be used by anyone wishing to purchase the list.
So, if you’ve owned an account with a password over the last 10 years and you haven’t changed the password in the last 12 months, I would suggest you change it and add two factor authentication right now. Then you can relax in thinking that at least those hackers purchasing your data have wasted their money.”
Ed Macnair, CEO at CensorNet:
“It is now uncomfortably commonplace for hackers to be openly selling data they have harvested online. While the details up for sale in this particular collection may not seem to be the most sensitive, there appear to be no bank details included in the sales listings, this does not matter for the types of attack this data is intended for.
“The details available include email addresses and passwords, which are used for credential stuffing: the method of attack where criminals try the same email and password combinations across multiple accounts. With this method, hackers can access sensitive information such as saved card details linked to certain accounts. They may also use it to crack into company networks, which typically contain more valuable information than a personal account. That this data collection has been specifically organised to be used for credential stuffing attacks highlights how popular and lucrative this type of attack is.
“The size of this particular collection of data is worrying. Consumers and businesses alike will be affected, so it is essential that users who think they have been affected change their passwords, and use a unique password for every account. Businesses should instruct all of their employees to update their login details, and implement authentication requirements so that an employee’s identity is guaranteed when they are logging into company resources. As the volume of these databases continues to increase, this is more important than ever.”
Emmanuel Schalit, CEO at Dashlane:
5-10 years ago, consumer cybersecurity was about protecting your device with and anti-virus software or an anti-spam filter. Today your data is not only on your device, it is in the cloud and the last/only line of defense there is likely to be your passwords.
Encrypted passwords are amongst the data that has been leaked here, and even though they must be cracked before they are able to be used, this still presents a big problem. Passwords are to the digital age what seatbelts were to the auto industry. They protect your identity, finances, and other critical personal information – so should they be cracked and used, all this data could be used for nefarious means.
Given the sheer quantity of this data on sale, we would advise all consumers, not just those affected, to change their passwords immediately, across all of their accounts. For those affected, this is even more important. You may not be able to control the security architecture of the digital services you use every day, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. Best practice password hygiene calls for unique and complex passwords for each and every account, which ensures that if one account is breached, then your other accounts will be secure. Some breaches, as we see here, aren’t discovered or disclosed for months or even years, so in addition to this, changing your passwords regularly is crucial, as you never know when your account might have been exposed.
Ilia Kolochenko, CEO at High-Tech Bridge:
“Without further verification, it rather looks like a secondary offering of breached databases on the black market. The first, thus exclusive and the most expensive sale, usually takes place in confidence and without notice to the breached party. Once multiple databases are grouped to be publicly offered, they are likely sold not for the first time.
The biggest risk of targeted individual attacks against the victims, however, is probably already in the past: now the buyers will likely conduct large-scale phishing and malware campaigns without a high degree of sophistication. Nonetheless, the victims may still face password re-use attacks and therefore should be particularly cautious within the next few months.
Those websites that haven’t yet discovered the breaches themselves should immediately initiate a forensics procedure and talk to their legal advisors to coordinate disclosure imposed by the applicable law. Failure to do so may increase the damages sought by the victims and lead to supplementary monetary penalties by the authorities.”
Gavin Millard, VP of Intelligence at Tenable:
“There appears to be a disconcerting trend developing of combining historic data breaches and packaging them up for sale on the dark web, as was evidenced earlier this year with 773 million records known as Collection #1 published. What is notable about this recent set of data is that there are several breaches from within the last year, some of which have already been publicly reported.
“As credential stuffing attacks are becoming increasingly more common, repositories like this will be invaluable. For instance, dating app and website OKCupid [whose parent company is Match Group Inc] has been dealing with reports from users of their accounts being hacked. The company has denied the claim that their website was compromised making it very likely that the account takeovers users are experiencing are the result of credential stuffing attacks.
“Some companies have taken some novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross referencing it against their own database. They can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing. Individuals can also take such precautions by visiting sites, such as ‘ https://haveibeenpwned.com/ ’ to determine if they’ve an account that has been compromised.
“Of course, the best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account. Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches.”