It is reported that a data breach broker is selling databases containing user records for 14 different companies he claimed were breached by hackers in 2020. When a company is breached, threat actors will typically download accessible databases, including account records. These databases are then sold directly to other threat actors, or the hackers utilize data breach brokers to sell them on their behalf. Over the past month, a known and reputable data breach broker has been selling numerous databases on hacker forums that they state were acquired in data breaches conducted in 2020.
Details around how and when these breaches occurred are unclear. Many of the 14 companies listed haven\’t disclosed a breach, so it\’s difficult to determine the reliability of the data.
However, if the breaches are correct, then this data gives a treasure trove of information to criminals who can use these usernames ad passwords to launch credential-stuffing attacks or use the information to send phishing emails.
It is why it\’s important that organisations offer 2FA to users, so that if their password is breached or guessed, an attacker cannot gain access to their account. Similarly, users should avoid reusing the same password across different sites and be wary of unsolicited emails asking for data or payment.
Worryingly, we can only expect the number of records traded on underground forums to keep on increasing – even with ransomware attacks, criminals are increasingly trying to exfiltrate authentication data that can be sold on to increase their profit on each attack.
These databases highlight how far-reaching and insidious data breaches can be. It is possible a company may not even know they were breached when they appear on these lists and yet they become even more vulnerable when they are. These breaches are not just large companies. Anyone can be a victim to a cyber attack and following basic cyber hygiene is especially important for those small businesses without their own IT teams. Utilizing strong passwords and multi-factor authentication, enabling firewalls, knowing the signs of a phishing email, and keeping software up to date can all go a long way in preventing a breach.
Anyone whose details are included in this database of stolen credentials should obviously reset their passwords as a minimum response. It once again highlights that we need organisations to tackle the problem of malicious actors lurking undetected in their systems for significant periods of time. The sooner suspicious activity is detected, the less time a hacker will have to exfiltrate sensitive information and user credentials. It has become paramount for modern enterprises to accept that “prevention eventually fails”, which makes the rapidity and accuracy of detection and response measures come to the forefront of a successful security strategy, and one of organisations’ best options for preventing their name ending up in the next data breach headline.
A data breach occurs. Information is extracted and sold. Potentially compromised data puts companies at risk for litigation, regulatory scrutiny, and reputational damage. Everybody is on edge anticipating the worst while hoping for the best possible outcome, while customers are wary and reticent to give out personal information in the future.
It’s a common pattern with a very simple solution for any organization wanting to improve their security posture—redouble efforts to protect the data itself along with the perimeter, access points into the data environment, and user identity verification. Take a more data-centric approach to security. By tokenizing sensitive data as soon as it is created, captured, or housed—a method which replaces that data with benign tokens with no inherent meaning—and then by following a tight policy of never (or rarely) detokenizing it within data workflows, businesses can rest a bit easier knowing that unauthorized access to the data will not result in any extracted meaning or compromised individuals or the business itself.
The most telling part of this dump is that 10 out of the 14 companies involved had not disclosed any data breaches prior. Those companies might not have known about the data breaches, or they might have been keeping it a secret. Depending on what country they\\\’re operating in, they might not be required to publicly disclose data breaches.
Either way, the failure to announce data breaches and inform users before the data is dumped puts all of those users at greater risk of credential stuffing and phishing. The companies must now race against hackers to alert users who will likely face targeted phishing messages and account takeover attempts.
Given that all of the data is reportedly from 2020, most of the information contained is still valid, making it more valuable to cyber criminals.