Password-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.
What Leak?
The massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service.
In his post, Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources. The data contains 772,904,991 unique email addresses, and 21,222,975 unique passwords, all of which can be put into 1,160,253,228 unique combinations.
Risks
Clearly, Mr Hunt has an interest in publicising the existence of Collection #1 and the fact that it has been incorporated into his service to help publicise the ‘Have I Been Pwned’ service, but as Mr Hunt points out, if your password/email combinations are part of the collection and have not been changed since, you could face some serious risks. For example:
- Credential stuffing attacks. In this case, 2.7 billion of the username and password combinations could be put into a list and used for credential stuffing. This is where cyber-criminals rely on the fact that people may use the same username and password combinations for multiple websites, and therefore, the criminals use software to automate the process of trying the breached username/password pairs on many other websites to see if they can gain access.
- Phishing attacks. The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.
- Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.
What Does This Mean For Your Business?
This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.
Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One tool that can help is a password manager. Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.
If you’re worried that people in your organisation may be using passwords that have been stolen, Troy Hunt has provided a list of them here: https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/ and provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/