By now, you’ve all seen the headlines: Dropbox was breached well over four years ago and just now the true impact of that breach is coming to light: nearly 70 million accounts were impacted. That’s not a small number. But what’s even more interesting – and we’ve been warning companies about this for a while – is that this breach was apparently tied to a different, also very high-profile, breach. The Dropbox employee whose password was exploited in the breach originally had his password exposed in the famous LinkedIn breach.
This illustrates an interesting ‘chaining’ or ‘domino effect’ that data breaches can have across multiple organisations.
And, it’s our new reality.
Employee access credentials to systems and sensitive company data are of high value to a hacker. Identity has become the new attack vector. And hackers are all over that fact – finding those orphaned accounts to grab and log-in to behind the scenes without an IT admin even knowing about it. Or, taking stolen credentials from one breach and using them to access another web site as was with the case of Dropbox. All because an employee chose to reuse a password across multiple sites – a very common occurrence.
Often, it comes down to password hygiene as the starting point to stronger and smarter access management. I’m still blown away by the fact that our Market Pulse Survey revealed that a whopping 65% of survey respondents admitted that they routinely reuse passwords across multiple applications and websites. But you don’t need survey stats to understand the severity of the problem – taking a look at the headlines is more than enough to illustrate the issue.
In reality, the Dropbox incident could have been far worse had the impacted passwords not been encrypted. Rather than needlessly put yourself – or your employer – at risk, take a minute to adhere to some password management best practices, as not every application you use will have that added layer of protection that Dropbox did. Use a unique password for every application. Make sure the password is long and more complex – ideally twelve characters should be thought of as a minimum. And, it should go without saying that with an identity governance solution in place, enterprises can ensure that every person with access to any data or systems adheres to strong password management practices like these.
It’s become very clear, between Dropbox, the ‘chaining’ effect back to the LinkedIn breach and the numerous other data breaches making headlines literally every day, that the identity of our people is in the crosshairs. Protecting Identity is key: to the safety of our own personal data, to the security of sensitive company data and files, and, to the safety of sensitive data in an organisation that may not even be linked to your own. Understand who has access to what, what they’re doing with that access, and manage that access throughout each users’ lifecycle and you’ll be well on your way to a smarter, stronger, and more proactive approach to not only identity and access management but to the overall IT security posture of your organisation.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.