Following the news that the Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained Twitter’s database, which includes email addresses, usernames and plain-text passwords, there below the comments from different security experts.
Tod Beardsley, Security Research Manager at Rapid7:
“While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself. Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling.
We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.”
Simon Moffatt, EMEA Director, Advanced Customer Engineering at ForgeRock:
“The news of LinkedIn, MySpace, Tumblr and now Twitter user logins for sale highlights one thing: that username and password authentication is inherently insecure. Basic good housekeeping with respect to passwords should always leverage secure storage (salted hashing as opposed to encryption or clear text) and the need for users to comply to complex password policies (for example). Whilst the latter does reduce user convenience, password managers can help.
“However, we should not simply rely on username and password based authentication as a barrier between our sensitive information and the rest of the Internet. It’s time for companies to embrace more advanced identity-centric solutions that improve the customer experience, while also providing stronger security.
“One option is to add multi-factor authentication, such as one time passwords, mobile push based authentication, biometrics or a combination. But as robust as these methods are becoming, they still rely on a ‘lock and key’ approach to security – once you’re through the door, you have free rein over the data within. The next big step forward will be continuous, behaviour-based authentication and authorisation.
“This will involve creating a user behaviour profile, which gathers key criteria that make up the “normal” usage pattern for any given user. Any deviation from the pattern will raise a red flag and lead to additional security questions or even removal of access. Importantly, this kind of technology will run entirely in the background, so the user will only ever be impacted if their behaviour is deemed to be suspicious.”
Ryan O’Leary, VP Threat Research Center at WhiteHat Security:
“The release of Twitter emails and passwords teach us that old breaches can continue to have serious implications on users’ security for some time after the initial incident. It seems that not a day goes by without news of a breach and now millions of emails and passwords are being sold like ice cream from a van. As an exercise, let’s also think of the passwords that we are using to log into LinkedIn, Facebook and Twitter. Do you have them pictured in your head? Let me guess, it’s exactly the same password? What other accounts do you log into with that password?
“We’re never out of danger from a data breach of our personal information and passwords. As users, we need to take precautions against this. If your password for each social media site actually is unique, good job, you’re one of the few people that use a different password for each system they log into. It is essential that we as a user community practice stricter personal security to mitigate the impact of data breaches that will, inevitably, occur.
“So, here are some simple tips for securing yourself online:
- Don’t use the same password for all sites. If one site were to be breached all your accounts are effectively breached. At the very least, use a variety of passwords to minimise the impact of a breach
- Turn on two factor authentication for any app that supports it. Yes it’s a pain! But it’s also one of the best ways to protect your accounts
- Only login to sites that use SSL, you’ll know this by checking if there is a ‘https://’ before the rest of the URL
- Don’t click on any links or attachments in instant messages or emails. As tempting as they might look, you really are rolling the dice with your personal security.”
Luke Brown, VP & GM EMEA, India and Latam at Digital Guardian:
“It’s one thing for users to have the same password across all of their social media profiles. In the worst-case scenario, an attacker could wreak havoc across the social platforms with profane posts, unflattering job descriptions or insulting images. However, it’s an entirely different thing if those same passwords are used for corporate accounts.
“It is essential that organisations make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information.”
Richard Parris, CEO, Intercede:
“Whether or not the latest prolific data breach on Twitter is a fault of the social media platform, malware in browsers, or some other issue, this once again gives rise to the fact that passwords and usernames need to be consigned to the dusty archives of yesteryear. Today, online platforms hold masses of sensitive personal data about millions of consumers, and should not be relying on outdated password authentication which is no longer fit for purpose to protect this valuable information.
“There are already much more sophisticated and robust alternatives to simple password authentication available – these companies need to sit up and take notice. They are on the back foot dealing with the aftermath of data breaches, whereas they should be focusing on making sure the breaches don’t happen in the first place. The future of online security relies on a much more proactive stance; embedding measures into the very fabric of technology we use in our everyday lives, from the silicon chips used in smartphones, to the apps and services these sites offer. If not, will large-scale data breaches ever be a thing of the past?”