Following the news that 620 million stolen account details from 16 hacked sites have been posted for sale on the dark web today, IT experts commented below.
Jake Moore, Cyber Security Specialist at ESET UK:
“This is typical of what happens once there is a large breach of passwords. After we saw “Collection #1-5” released in the wild last month, this news is sadly inevitable. However, the value of this database is massively reduced once all the users’ passwords are changed as the details cannot be used by anyone wishing to purchase the list.
So, if you’ve owned an account with a password over the last 10 years and you haven’t changed the password in the last 12 months, I would suggest you change it and add two factor authentication right now. Then you can relax in thinking that at least those hackers purchasing your data have wasted their money.”
Ed Macnair, CEO at CensorNet:
“The details available include email addresses and passwords, which are used for credential stuffing: the method of attack where criminals try the same email and password combinations across multiple accounts. With this method, hackers can access sensitive information such as saved card details linked to certain accounts. They may also use it to crack into company networks, which typically contain more valuable information than a personal account. That this data collection has been specifically organised to be used for credential stuffing attacks highlights how popular and lucrative this type of attack is.
“The size of this particular collection of data is worrying. Consumers and businesses alike will be affected, so it is essential that users who think they have been affected change their passwords, and use a unique password for every account. Businesses should instruct all of their employees to update their login details, and implement authentication requirements so that an employee’s identity is guaranteed when they are logging into company resources. As the volume of these databases continues to increase, this is more important than ever.”
Emmanuel Schalit, CEO at Dashlane:
Encrypted passwords are amongst the data that has been leaked here, and even though they must be cracked before they are able to be used, this still presents a big problem. Passwords are to the digital age what seatbelts were to the auto industry. They protect your identity, finances, and other critical personal information – so should they be cracked and used, all this data could be used for nefarious means.
Given the sheer quantity of this data on sale, we would advise all consumers, not just those affected, to change their passwords immediately, across all of their accounts. For those affected, this is even more important. You may not be able to control the security architecture of the digital services you use every day, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. Best practice password hygiene calls for unique and complex passwords for each and every account, which ensures that if one account is breached, then your other accounts will be secure. Some breaches, as we see here, aren’t discovered or disclosed for months or even years, so in addition to this, changing your passwords regularly is crucial, as you never know when your account might have been exposed.
Ilia Kolochenko, CEO at High-Tech Bridge:
The biggest risk of targeted individual attacks against the victims, however, is probably already in the past: now the buyers will likely conduct large-scale phishing and malware campaigns without a high degree of sophistication. Nonetheless, the victims may still face password re-use attacks and therefore should be particularly cautious within the next few months.
Those websites that haven’t yet discovered the breaches themselves should immediately initiate a forensics procedure and talk to their legal advisors to coordinate disclosure imposed by the applicable law. Failure to do so may increase the damages sought by the victims and lead to supplementary monetary penalties by the authorities.”
Gavin Millard, VP of Intelligence at Tenable:
“As credential stuffing attacks are becoming increasingly more common, repositories like this will be invaluable. For instance, dating app and website OKCupid [whose parent company is Match Group Inc] has been dealing with reports from users of their accounts being hacked. The company has denied the claim that their website was compromised making it very likely that the account takeovers users are experiencing are the result of credential stuffing attacks.
“Some companies have taken some novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross referencing it against their own database. They can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing. Individuals can also take such precautions by visiting sites, such as ‘ https://haveibeenpwned.com/ ’ to determine if they’ve an account that has been compromised.
“Of course, the best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account. Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches.”